by Jeyakumar Durai (JD)
Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for New Technology LAN Manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address a critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook clients that connect to both an on-premises Exchange environment and Exchange Online (Office365).
What is the impact due to this Vulnerability?
CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that when triggered allows an External attacker to send specially crafted emails that creates a connection from the victims machine to an external UNC location of the attackers’ control. The vulnerability will leak the Net-NTLMv2 credential hash of the victim to the attacker who can then relay this to other systems in the network and authenticate as the victim.
What are the versions affected due to this vulnerability?
All supported versions of Microsoft Outlook for Windows are affected.
Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are NOT affected.
What is the Mitigation plan from Microsoft?
How to determine if my organization was targeted by actors attempting to use this vulnerability?
Microsoft has provided documentation and a script in their GitHub that checks Exchange messaging items (mail, calendar and tasks) which can assist in determining if your organization has been targeted. The script also provides the parameters to clean up the exploited items from the Organization mailboxes. Please note depending on the size of the Organization, it may take some time for the script to complete and provide the results.
Helient strongly recommends taking the necessary steps to mitigate the targeted abuse of this vulnerability in Microsoft Outlook for Windows. If you would like more information or assistance, please contact our industry-leading experts at firstname.lastname@example.org.