Microsoft Outlook (CVE-2023-23397)

A critical vulnerability in Microsoft Outlook has surfaced, CVE-2023-23397, that allows threat actors to steal NTLM credentials of Microsoft Outlook users with minimal complexity or effort. The vulnerability can be exploited by sending an email to a target user but does not require that user to open the email.

This is an actively exploited zero-day vulnerability that was reported earlier this month. For more information on this CVE please refer to Microsoft’s official documentation found here.

To protect your organization from this risk, Randori recommends enacting all the following mitigations:

• Apply the released patch by Microsoft as soon as possible

• Block 445 (SMB) connections from leaving the internal network

• Add Critical Users / High Value users to the Protected Users Security Group (https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group)

• Application whitelisting and controlling outbound communications from relevant hosts

You can leverage Randori’s Recon platform to gain visibility into your impacted assets by configuring your view on your Targets page for ServiceName CONTAINS Outlook and should consider adding a qualifying filter for Tags DOES NOT HAVE TAG Microsoft 365 if you need to narrow down to only on-prem versions of Outlook and exclude those hosted by O365.