On March 14th, 2023, a critical exploit was found in Microsoft Outlook called CVE-2023-23397. All currently supported versions of Outlook for Windows are impacted, but not Outlook for the web or those running on Android, iOS, or Mac.
What is CVE-2023-23397?
Identified as CVE-2023-23397, this exploit allows a threat actor to send a specially crafted email with a malicious payload that can cause the victim’s Outlook client to automatically connect to an external location under the actor’s control to decrypt the users’ password. This could permit further methods of exploitation, and exploitation can occur even before the email is opened or previewed by the user. The scary part is it means the victim doesn’t even need to open the malicious email in order for it to attack their system. The email can trigger automatically upon retrieval and processing by the Outlook client. Exploitation can occur even before the email is viewed in the Preview Pane, meaning the victim does not need to open the email.
The fact of Outlook receiving this message will act on this code inside the message and have your computer call out to the internet and give it it’s NTLM token.
What is an NTLM token?
an NTLM token is part of the Microsoft operating system of how you access files on a network drive. With the NTLM token the threat actor can use that to launch attacks as you against your network. This is a very high level, critical exploit that the only mitigation is applying the Microsoft patch they have put out or having your IT provider adds extra firewall rules.
Fortunately, we have been working tirelessly to address the issue. We have pushed out two fixes on March 16th, 2023, to help remediate this issue with our clients.
The first fix is a patch from Microsoft to Office to fix this vulnerability. Skycomp has deployed this patch to all workstations they manage, and it will potentially force close Office applications depending on your previous version.
The second fix is that we deployed a firewall rule blocking SMB traffic from internal networks to the internet to block this type of attack at another level. We don’t foresee this causing any issues.
We are also running reports to see if any users received emails with potentially malicious messaging items over the past couple of days. This will help us identify any users who may have been affected by this vulnerability and take appropriate action.
The recent Outlook exploit was a cause for concern, but with our quick action the issue has been addressed to our clients. We encourage all users to ensure they have installed the latest updates and patches for their Outlook clients and to report any suspicious emails to their IT support immediately.
If you are not a Managed Client of Skycomp here is what you need to do.
We strongly advise you immediately go to Window’s updates, talk to your IT provider if you have one to get them to apply this patch right away. Again you don’t need to take any action for this vulnerability to affect you. Just receiving this email in your Outlook will trigger the exploit.
We will continue to monitor this exploit and update the blog as soon as we get more information. In the meantime you check out Microsoft’s blog on the Outlook mitigation here, as well as the CVE technical details here.