Microsoft have strongly recommended for all customers to update Microsoft Outlook for Windows to remain secure.
The following article has been released by Microsoft after they discovered a critical vulnerability in Microsoft Outlook for Windows:
Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure.
All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.
CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required.
The connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages.
Please refer to CVE-2023-23397 Outlook updates to address this vulnerability, read FAQs, and additional mitigation details.
To determine if your organization was targeted by actors attempting to use this vulnerability, you should contact use.
The Microsoft Incident Response team and Microsoft Threat Intelligence community appreciate the opportunity to investigate the findings reported by CERT-UA.
Through joint efforts, Microsoft is aware of limited targeted attacks using this vulnerability and initiated communication with the affected customers. Microsoft Threat Intelligence assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.