A critical vulnerability has been identified in Microsoft Outlook and has been assigned a number CVE-2023-23397. It made it possible to remotely steal hashed passwords simply by sending a malicious email to the victim’s computer. Microsoft released a patch to fix this vulnerability, but it was exploited by cybercriminals from at least April to December 2022.
The vulnerability is rated 9.8 (critical) – it affected all versions of Microsoft Outlook for Windows and allowed attackers to steal account data with malicious emails. No action was required from the victim – the attack was carried out with Outlook open and a reminder running on the system.
The vulnerability was based on a bug in the Windows New Technology LAN Manager (NTLM). This is the authentication method used to log on to Windows domains with hashed account information. NTLM authentication has known risks, but it is still present in newer systems to ensure compatibility with older ones. The method handles password hashes that the server receives when a user tries to access shares. If stolen, these hashes can be used to authenticate on the network.
As explained in Microsoftsends a cybercriminal while exploiting the CVE-2023-23397 vulnerability “a message with an extended MAPI property containing the UNC path to an SMB share (TCP 445) on an attacker-controlled server”. A malicious Outlook email (.MSG) contains a calendar event that activates an exploit and sends NTLM hashes to any server. This gives the hacker access to corporate networks. In addition to calendar events, similar attacks are also carried out through other Outlook tools such as Notes and Messages.
Security experts estimate that the CVE-2023-23397 vulnerability was exploited in cyberattacks against at least 15 organizations from April to December 2022.