Microsoft Outlook users are being warned of a critical vulnerability, with a severity rating of 9.8 out of 10, that has already been exploited in the wild.
The vulnerability, known as CVE-2023-23397, is an elevation of privilege vulnerability affecting all currently supported versions of Outlook for Windows, and is triggered upon receipt of a malicious email that executes before the email is read in the preview pane, without requiring user interaction. The vulnerability has already been used by a Russia-based threat actor to target government, transport, energy, and military sectors in Europe, according to Microsoft.
How Outlook exploit is triggered
The Microsoft Security Resource Center (MSRC) reports that the exploit is triggered when an attacker sends a message with an extended MAPI property containing a UNC path to an SMB (TCP 445) share on a threat actor-controlled server, and no interaction is required. However, online services such as Microsoft 365 do not support NTLM authentication, and are not vulnerable to this exploit.
Microsoft has released a security update to address this vulnerability, as well as provided workaround mitigations for those unable to apply the security updates immediately.
How to protect against Outlook exploit
Mandiant, a Google-owned threat intelligence company, believes that the vulnerability has been exploited for almost a year by threat actors to target organizations and critical infrastructure. Administrators are advised to patch immediately, as the vulnerability is relatively easy to exploit and does not require user interaction.
If immediate patching is not possible, two temporary mitigations have been provided by Microsoft. Users can add themselves to the Protected Users Security Group to prevent the use of NTLM for authentication, or block outbound TCP 445/SMB using a firewall or through VPN settings.