CVE-2023-23397: Zero-Click Outlook Vulnerability Enables Network Credential Theft Without User Interaction
What Is Happening
CVE-2023-23397 is a critical privilege escalation vulnerability in Microsoft Outlook for Windows that allows attackers to steal NTLM authentication hashes without any user interaction. The vulnerability exists in how Outlook processes calendar invitations and task reminders containing a malicious UNC path in the PidLidReminderFileParameter extended MAPI property. When Outlook processes the specially crafted email, it automatically initiates an SMB connection to an attacker-controlled server, leaking the victim's Net-NTLMv2 hash.
This vulnerability has been actively exploited in the wild since at least April 2022, primarily by threat actors linked to Russian military intelligence (GRU). Initial targets included government, military, energy, and transportation organizations in Europe. The exploit requires no user action: simply receiving the malicious email triggers the vulnerability before the user even views it in the preview pane. CISA added this to the Known Exploited Vulnerabilities catalog on March 14, 2023, the same day Microsoft released patches.
The severity of this vulnerability stems from its zero-click nature and the immediate value of captured credentials. Attackers can relay stolen NTLM hashes to authenticate against other services in the victim's environment, including Exchange servers, file shares, and domain controllers. With a CVSS score of 9.8, this represents one of the most dangerous Outlook vulnerabilities disclosed in recent years.
Affected Versions
| Product | Affected Versions | Status |
|---|---|---|
| Microsoft 365 Apps for Enterprise | All versions prior to March 2023 update | Patch Available |
| Microsoft Office 2019 | All versions prior to March 2023 update | Patch Available |
| Microsoft Office LTSC 2021 | All versions prior to March 2023 update | Patch Available |
| Microsoft Outlook 2016 | All versions prior to March 2023 update | Patch Available |
| Microsoft Outlook 2013 | All versions prior to March 2023 update | Patch Available |
Patch Details:
- Security Update KB5002254 (Outlook 2016)
- Security Update KB5002265 (Outlook 2013)
- Microsoft 365 Apps and Office 2019/LTSC 2021 receive patches through standard update channels
- Official advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
Outlook for Mac, Outlook on the web (OWA), and Outlook mobile applications are not affected by this vulnerability. Only Windows-based Outlook clients are vulnerable.
What Being on an Affected Version Means
An attacker who exploits this vulnerability gains the victim's Net-NTLMv2 hash, which can be used in two primary ways. First, the hash can be cracked offline to recover the plaintext password, especially effective against accounts with weak passwords. Second, and more immediately dangerous, the hash can be relayed in real-time to authenticate against other services that accept NTLM authentication, including SMB shares, Exchange Web Services, and LDAP.
The attack path typically proceeds as follows: the attacker sends a malicious meeting invite to any user in the organization. When the victim's Outlook client processes the message, it connects to the attacker's SMB server and transmits credentials. The attacker then relays these credentials to access internal resources, potentially including the victim's mailbox via Exchange, sensitive file shares, or in environments without adequate NTLM relay protections, domain controllers. From a compromised mailbox, attackers can harvest additional credentials, access sensitive communications, and send malicious messages to other internal users to expand their foothold.
Mitigation Steps
- Apply the March 2023 security updates immediately. For Outlook 2016, install KB5002254. For Outlook 2013, install KB5002265. For Microsoft 365 Apps and Office LTSC, update through your standard deployment channel to builds released March 14, 2023 or later.
- Block outbound SMB (TCP 445) at your network perimeter. This prevents the NTLM hash from reaching attacker infrastructure even if a malicious message is processed. Also block outbound WebDAV connections if not required.
- Add privileged users to the Protected Users security group. Members of this group cannot authenticate using NTLM, rendering captured hashes unusable for those accounts.
- Run Microsoft's diagnostic script to identify any previously received malicious messages. Microsoft released a PowerShell script that scans Exchange mailboxes for items containing the malicious
PidLidReminderFileParameterproperty: https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
- Enable SMB signing and enforce EPA (Extended Protection for Authentication) on Exchange and other internal services to prevent NTLM relay attacks.
- Monitor for indicators of exploitation:
- Windows Security Event ID 4648 (explicit credential logon) showing connections to external IPs
- Firewall logs showing outbound SMB (445/TCP) connection attempts to non-internal IP addresses
- Exchange message tracking logs showing calendar items from external senders with unusual properties
- Network telemetry showing SMB connections to internet-routable IP addresses
This is a zero-click, actively exploited vulnerability with trivial exploitation requirements: patch Windows Outlook clients within 24 hours or implement network-level SMB blocking as an immediate compensating control.