On 14th March 2023, Microsoft released a security update guide for a critical severity vulnerability CVE-2023-23397. This vulnerability targets Microsoft Outlook and allows NTLM credentials theft which could be used for privilege escalation attacks.
What is the issue?
An attacker can send an email to the victim with an extended MAPI (Microsoft Outlook Messaging API) property with a UNC (Universal Naming Convention - A string format that specifies the location of a resource) path to an attacker-controlled SMB (TCP 445) share. Once Outlook receives this message it initiates a NTLM authentication with this SMB share server. There is no user interaction required to trigger this vulnerability. The attacker can then use this connection's NTLM negotiation message and relay this authentication against other systems that support NTLM authentication.
According to Microsoft “An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user”
What systems are impacted?
This impacts all versions of Microsoft Outlook for Windows. As per the Microsoft blog other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected
Microsoft has also provided impact assessment scripts at https://aka.ms/CVE-2023-23397ScriptDoc and detailed the steps to run the script to evaluate the impact.
What can you do to protect yourself?
Advanced Threat Protection
We have added coverage for known exploit attempts and are working to add a more generic detection for this vulnerability.
Details related to the threat signatures released by Zscaler can be found in the Zscaler Threat Library.