On 3/14/23 Microsoft released patches to address a critical vulnerability found in Microsoft Outlook for Windows. This vulnerability affects only Microsoft Outlook for Windows. Other versions such as those for Android, iOS, Mac, and Outlook/M365 on the web are not affected.
CVE-2023-23397
Microsoft Outlook Elevation of Privilege (EoP) Vulnerability
CVSSv3.1: 9.8
This vulnerability may be triggered by an attacker that sends a crafted, expired appointment to a user. This will activate the reminder feature within Outlook for overdue appointments with no user interaction required.
The attacker-crafted appointment will exploit the path to the sound file that Outlook plays for a reminder when it is overdue, substituting a UNC (Universal Naming Convention) path within the message that leads to their own server. This will cause the Outlook client to send the user’s login name and their NTLM password hash to the attacker’s remote server.
This exploit does NOT require the recipient to interact with the appointment received from the attacker. The message will be processed behind the scenes, potentially leaving the user unaware that they have been compromised.
Mitigations
- Ensure current patches are applied.
- For those that cannot patch right away, Microsoft provides guidance for DCs using Windows 2012 R2 or newer. Consider adding on-premises accounts to a Protected Users Security Group. This prevents the use of NTLM as an authentication method by group members and continues to allow legacy applications that require NTLM to be excluded from the group and still utilize that authentication method.
(Ensure that you review Microsoft documentation for Protected Users Security Groups before implementing:
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group?WT.mc_id=M365-MVP-9501 )
Detection and Response
Microsoft has made a script available that will review the Exchange environment to see whether a property is populated for a UNC path. The script can also be used to clean up the property for the malicious appointment reminders or even delete the items permanently.
https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
Additional Resources
https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
