A recently discovered vulnerability in Microsoft Outlook can compromise an account without opening an email. How to protect your corporate accounts.

Microsoft first reported CVE-2023-23397 last week, which was immediately classified as “critical.” This warning is not exaggerated, say security experts in unison. Attackers can exploit the vulnerability without the victim having to click anything. Unlike many classic attack methods, the attack does not rely on the carelessness of the user.

All an attacker needs to do is send an email to the victim with notes or tasks. The content of the email may cause Outlook to automatically connect to an attacker’s remote UNC location, where your NTLM 2 authentication will be sent. This allows the attacker to take over your account even before you click on the email. The vulnerability affects the Outlook Windows client and Outlook accounts connected to an Exchange server.

snowball effect

The web and mobile versions may not be affected; The attack surface of this vulnerability is very large. Security experts fear that almost every Outlook user could be compromised in some way. CVE-2023-23397 is therefore already described as one of the most dangerous Outlook vulnerabilities to date.

Another cause for concern is that information about the vulnerability has been made public by Microsoft. It is common for zero days details to be released as soon as a patch to close the vulnerability is rolled out. This gives organizations the first opportunity to plug the leak. However, since organizations are not always fast with this, we are now in the dangerous phase in which attackers also know how to exploit the vulnerability.

This could create a “snowball effect” and we could see multiple attacks exploiting the vulnerability in the coming days. The impact on the victim ranges from data theft, malware distribution, or disruption to day-to-day communications and business operations, depending on the compromised account’s permissions.

How to protect your business

The most obvious solution is to install the latest available updates for Outlook email client and Exchange. Although this can disrupt the configuration of the email system, we read at Dark Reading. Other security measures you can take are blocking TCP 445/SMB traffic with a firewall or VPN to block the NTLM tokens and adding all active users to secure groups.