NOTIFIED: Microsoft Outlook Vulnerability (CVE-2023-23397)
On March 15, 2023, news began to circulate about a new Microsoft Outlook vulnerability (CVE-2023-23397).
The issue only impacts the versions of Microsoft Outlook that run on Windows. Unfortunately, that impact is significant and is a cause for serious concern in most organizations. The vulnerability allows an attacker to gain access to a user’s password hashes, which are directly usable in many environments. Additionally, the attacker community is rapidly moving from proof of concept to viable attack toolkits.
LAST UPDATE: 3/16/23
While there are many technical writeups that go into the weeds on how this attack works, the critical items to know are:
- Microsoft claims that Microsoft 365 is unaffected, but we believe a traditional Outlook client connecting to Microsoft 365 could be vulnerable in some situations
- The attack involves all current versions of Microsoft Outlook running on Windows
- The attack involves zero user interaction. There is no need for the attacker to trick the user into clicking links or downloading anything. They can simply send an email and get a password hash.
- This password hash can be used directly by using a “relay” attack against other services
- The fewer services you expose to the internet that allow NTLM authentication, the more secure you are
- Weak passwords can be identified from this hash and then used directly
- Patches for Outlook are available
- Scripts from Microsoft to check for compromise are available
How to protect yourself from Microsoft Outlook Vulnerability CVE-2023-23397
To protect against this issue, you need to apply the current Microsoft Outlook patches (links below). Patching Outlook across the entire Windows workstation environment, including laptops, desktops, and virtual machines is the best option. Microsoft also recommends blocking port 445 outbound and placing users in the Protected Users security group. These last two workarounds could impact existing business practices, so be sure to test carefully if implementing them in addition to applying patches.
CDI is actively working with partners like Proofpoint and Abnormal to identify whether email filtering can be configured to block incoming malicious emails using this attack. CDI is also actively working with partners like Crowdstrike to identify whether the behavior can be detected and blocked with EDR/MDR tools. This blog will be updated when more information is available.
An expert Microsoft partner, CDI Security representatives are capable of assisting all organizations with any concerns around this vulnerability. Please contact our team here should you need assistance.
For technical details, please see: