Microsoft Outlook zero-day vulnerability allowing NTLM credential theft
Date: March 15, 2023
This Alert is intended for IT professionals and managers of notified organizations.
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security (“Cyber Centre”) is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
On March 14, 2023, Microsoft published advisories highlighting several critical vulnerabilitiesFootnote 1Footnote 2. One of those advisories, CVE-2023-23397, disclosed a vulnerability impacting Microsoft Outlook and highlighted it has been exploited in the wildFootnote 3Footnote 4. Open source has further reported that this zero-day vulnerability was exploited by sophisticated actorsFootnote 2.
CVE-2023-23397 allows a threat actor to send a specially crafted email with a malicious payload that will cause the victim’s Outlook client to automatically connect to a Universal Naming Convention (UNC) location under the actor’s control to receive the Net-NTLMv2 user’s password hashFootnote 2. This disclosure of credentials would permit further methods of exploitationFootnote 5.
Exploitation can occur prior to the email being opened or previewed by the user. The Cyber Center can confirm successful reproduction of a payload invoking the exploit.
The Cyber Centre recommends patching immediatelyFootnote 6. If that is not possible, some or all of the following mitigations and actions should be performed as quickly as possible:
- Block TCP 445/SMB outbound from your networks to prevent inadvertent communications to the threat actor resulting from this exploit.
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanismFootnote 7.
- Restrict the use of NTLMFootnote 8.
- Periodically run a script provided by Microsoft to detect potentially malicious messaging items (mail, calendar and tasks)Footnote 9.
Should activity matching the content of this Alert be discovered, recipients are encouraged to report via the My Cyber Portal, email ([email protected]) or telephone (1-833-CYBER-88 or 1-833-292-3788).
Microsoft Outlook Elevation of Privilege Vulnerability
Microsoft March 2023 Patch Tuesday fixes 2 zero-days, 83 flaws
Microsoft Mitigates Outlook Elevation of Privilege Vulnerability
March 2023 Exchange Server Security Updates
Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques
Microsoft security advisory – March 2023 monthly rollup (AV23-146)
Protected Users Security Group
Network security: Restrict NTLM: NTLM authentication in this domain
Microsoft CVE-2023-23397 script