Critical zero-day vulnerability discovered in Microsoft Outlook
Attackers have found a way to exploit the security vulnerabilities in Microsoft Outlook. They create a harmful “Appointment Reminder” in Outlook. It is usually an enticingly written notification of an upcoming event or meeting. When this malicious reminder is triggered, it causes the victim’s Outlook to connect to a remote file storage location (SMB share) using a UNC path (a way to access files on a network). Once connected, the attacker can get the victim’s NTLM Password hash (a scrambled version of the password) from the authentication process. From this point on, the threat actor exploits the victim as much as they can.
This attack is alarming due to its ease of use
This attack has a low complexity rating meaning it is very easy to pull off and can pilfer a high reward. It can be exploited without any interactions or mistakes from the victim. To the hacker anything that is simple where he doesn’t have to think too hard is good. They are always looking for easy targets and the path of least resistance to screwing you over. This attack also has the ability to be widespread, as it targets a vulnerability in Microsoft Outlook’s Appointment feature. Outlook is an extremely popular program, leaving many people at risk.
If you are looking for some more technical information about this. Here is the Government of Canada’s alert on it.
Alert – Microsoft Outlook zero-day vulnerability allowing NTLM credential theft – CVE-2023-23397
What can you do?
Apply your Microsoft updates and patches, this is the number one thing you can do to keep your systems safe that is easy and reliable. Microsoft has already put out an update to patch this vulnerability.
Here’s a quick way to stay up to date:
To update your Outlook, please follow the steps below:
1. Open Outlook on your computer
2. Click on File > Office Account
3. Click on Update Options > Update Now
4. Wait for the update to download and install.
Microsoft has released some other mitigating factors:
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high-value accounts such as Domain Admins when possible.
Please note: This may cause an impact on applications that require NTLM, however, the settings will revert once the user is removed from the Protected Users Group. - Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
For more information on what Microsoft has to say check out: Microsoft Outlook Elevation of Privilege Vulnerability
As always, if you have any reason to believe your organization has used malicious software, or like to ensure all your software is free of security exploits. Please do not hesitate to contact our incident response team.
