This alert aims to highlight a critical vulnerability identified in Microsoft Outlook for Windows1. This vulnerability is tracked with the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2023-23397.
Microsoft has rated CVE-2023-23397 a 9.8/10 on the Common Vulnerability Scoring System (CVSS).
This issue affects organisations utilising both Exchange on-prem and Office365, as the vulnerability resides in Microsoft Outlook desktop clients.
Importantly, exploitation of this issue does not require any user interaction – the vulnerability is triggered as soon as an appropriately formed email arrives in a Microsoft Outlook inbox, even if the user does not open this email.
The impact of exploitation is that Microsoft NTLM credentials will be sent from the vulnerable Outlook client to the Threat Actor exploiting the flaw. Threat Actors may utilise NTLM credentials to authenticate to resources as the victim. As such, Microsoft describes this issue as an Elevation of Privilege, as the Threat Actor is likely to elevate from no privilege to the victim's privilege level.
Limited exploitation of this vulnerability in the wild has been observed, and a security firm, MDSec, demonstrated a Proof of Concept (POC) for this vulnerability4.
The vulnerability is exploited using an extended Message Application Program (MAPI) property within the crafted email pointing to a Universal Naming Convention (UNC) path.
A Threat Actor can specify a UNC path point to a remote, Threat Actor-controlled location so that the subsequent NTLM challenge made as a result of the exploit is sent to the Threat Actor-controlled location to be captured.
The vulnerability and subsequent NTLM challenge are delivered through a malicious calendar invite in ".msg" format, causing the "reminder notification" sound for the proposed meeting and triggering the vulnerable API endpoint "PlayReminderSound".
This vulnerability affects all versions of Microsoft Outlook on the Windows Operating System.
Mobile clients, Mac clients and clients running on other operating systems are not affected. The Outlook Web Application (OWA) is not affected.
User interaction is not required for this vulnerability to be exploited. The vulnerability will be triggered when it arrives in the victim's Outlook inbox. The associated mail item does not need to be opened to exploit the vulnerability.
As this vulnerability affects the email client being utilised (Microsoft Outlook for Windows), it does not matter where the mail server is hosted (e.g., on premised Exchange vs O365).
Triskele Labs recommends that Microsoft Outlook software is updated in line with the version being run. The following location lists the relevant update articles for the affected software:
Additional mitigation actions that can be taken include:
Turning off the "Show reminders" setting in Outlook prevents this application from being exploited, as the vulnerability is triggered through a reminder notification sound.
Adding high-risk users to the Protected Users Security Group5 prevents the use of NTLM as an authentication mechanism.
Blocking outbound connections to port 445 to prevent exploitation from being weaponised by forcing an NTLM authentication to a Threat Actor-controlled SMB server.
Enforce clients and servers within the Windows Domain to require SMB signing. This will prevent subsequent relay attacks, which can be performed by leveraging this vulnerability.
These mitigation strategies are not substitutes for patching the vulnerability. These should be implemented to complement the patch as Defence in Depth measures or in the case that a patch cannot be immediately applied.
The Triskele Labs DefenceShield Security Operations Centre (SOC) monitors suspicious activity for Managed Detection and Response (MDR) clients. DefenceShield Monitor clients with Security Information and Event Management (SIEM) agents deployed to endpoints running Microsoft Outlook will detect exploitation of this vulnerability.
Triskele Labs are performing ongoing scanning for DefenceShield Assess clients to detect vulnerable devices in client networks.
Microsoft has released a script enabling retroactive Threat Hunting for messages containing this vulnerability67.
For any questions, please contact the DefenceShield Security Operations Centre or Triskele Labs support.