Microsoft Mitigates Outlook Elevation of Privilege Vulnerability

by Jeyakumar Durai (JD)
Cloud Architect

Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for New Technology LAN Manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address a critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook clients that connect to both an on-premises Exchange environment and Exchange Online (Office365).

What is the impact due to this Vulnerability?

CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that when triggered allows an External attacker to send specially crafted emails that creates a connection from the victims machine to an external UNC location of the attackers’ control. The vulnerability will leak the Net-NTLMv2 credential hash of the victim to the attacker who can then relay this to other systems in the network and authenticate as the victim.

What are the versions affected due to this vulnerability?

All supported versions of Microsoft Outlook for Windows are affected.

Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are NOT affected.

What is the Mitigation plan from Microsoft?

  • Install the security update released by Microsoft based on the Microsoft Outlook versions specified in this Microsoft release. If the version of outlook is not listed in the article, it is advisable to upgrade to one a supported version of Microsoft Outlook.
  • Block TCP 445/SMB outbound from your network to External to stop the NTLM traffic.
  • Add on-premises Active Directory accounts to the Protected Users Security Group. Windows 2012 R2 and newer domain controllers support this group, which prevents the use of NTLM as an authentication method by its group members. Please note adding users to this group may impact their access to the applications that require NTLM authentication. Hence, add only the high-priority and privileged accounts to this group in phases.

How to determine if my organization was targeted by actors attempting to use this vulnerability?

Microsoft has provided documentation and a script in their GitHub that checks Exchange messaging items (mail, calendar and tasks) which can assist in determining if your organization has been targeted. The script also provides the parameters to clean up the exploited items from the Organization mailboxes. Please note depending on the size of the Organization, it may take some time for the script to complete and provide the results.

Helient strongly recommends taking the necessary steps to mitigate the targeted abuse of this vulnerability in Microsoft Outlook for Windows. If you would like more information or assistance, please contact our industry-leading experts at service@helient.com.