A critical vulnerability that is identified as a Zeroday in the Microsoft Outlook/365 applications suite is being actively abused in the wild and requires a mandatory patching.
The vulnerability tracked as CVE-2023-23397, with the CVSS score of 9.8, lets a remote and unauthenticated attacker breaches the system by sending a specially crafted email that allows them to steal the recipient’s credentials.
The victim doesn’t even need to open the malicious email: As Microsoft notes in its own guidance for the Microsoft 365 vulnerability: “The email] triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”
This vulnerability for microsoft outlook affects both 32 and 64-bit versions of Microsoft 365 Apps for Enterprise. Office 2013, 2016, and 2019 (as well as LTSC) are also vulnerable to attack, which is triggered by a malicious email that causes a connection from the victim to a location under attacker control; leaking the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.
Microsoft Outlook vulnerability CVE-2023-23397 mitigations
- Users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. But it comes with a side effect in a way that for the application that requires NTLM will get affected by the workaround
- Admins block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings: “This will prevent the sending of NTLM authentication messages to remote file shares” it adds in guidance for tackling CVE-2023-23397.
These findings are attributed to CERT-UA, Microsoft Incident Response, and Microsoft Threat Intelligence (MSTI) and did not disclose how widespread attacks are, but they are likely to become so very fast as the patch is reverse-engineered and offensive security researchers identify how the exploit works and share POCs.