Recently, Microsoft discovered a vulnerability in Microsoft Outlook for Windows. The vulnerability lets a remote, unauthenticated attacker to steal a victim’s NTLMv2 hash by sending a specially crafted email to their Outlook mailbox. The victim does not need to open the malicious email – it triggers automatically when it is received and processed by the Outlook client, even before the email is viewed in the Preview Pane. The attacker can then pass the NTLMv2 hash to other services that support NTLM authentication, and authenticate as the victim.
This vulnerability has been observed operating in the wild, in targeted attacks. It has been published as CVE-2023-23397, which has been rated CVSS 9.8, a critical vulnerability.
All versions of Microsoft Outlook for Windows are affected, including Office 2013, 2016, and 2019. Versions of Microsoft Outlook for other platforms like Android, iOS, Mac, Outlook on the web and other M365 services are not affected.
Mitigation Steps recommended by Sedara:
- Microsoft has released a patch for this vulnerability on Patch Tuesday (March 14). We strongly recommend administrators test and deploy Microsoft Office patches up to the current level.
- In the absence of up-to-date patches, Microsoft suggests adding high value users to the “Protected Users Security Group”, which prevents the use of NTLM as an authentication mechanism. Microsoft warns that this may cause impact to applications that require NTLM. If this does occur, the settings will revert once the user is removed from the Protected Users Security Group.
- Microsoft also suggests, if possible, that admins block TCP 445 (SMB) outbound on perimeter firewalls. This will prevent compromised NTLM messages from leaving the network.
- Microsoft has published documentation and a Powershell script for administrators to check whether their organization has been targeted with this vulnerability. The script checks and cleans up any mail, calendar, or tasks that have been populated with this exploit. The script and documentation are available at: https://aka.ms/CVE-2023-23397ScriptDoc.
How can Sedara Help?
- Sedara’s vCISO’s can provide you ongoing supervision and support to stay abreast of the latest security incidents and make changes to improve your cybersecurity posture
More reading on this threat:
- Microsoft Mitigates Outlook Elevation of Privilege Vulnerability
- Microsoft Outlook Elevation of Privilege Vulnerability CVE-2023-23397
Want Help With a Security Incident?
Sedara can help your organization assess and address vulnerabilities and provide insight that prevents future incidents.