← All Posts

CVE-2023-23397: Zero-Click Outlook Vulnerability Enables Network Credential Theft Without User Interaction

What Is Happening

CVE-2023-23397 is a critical privilege escalation vulnerability in Microsoft Outlook for Windows that allows attackers to steal NTLM authentication hashes without any user interaction. The vulnerability exists in how Outlook processes calendar invitations and task reminders containing a malicious UNC path in the PidLidReminderFileParameter extended MAPI property. When Outlook processes the specially crafted email, it automatically initiates an SMB connection to an attacker-controlled server, leaking the victim's Net-NTLMv2 hash.

This vulnerability has been actively exploited in the wild since at least April 2022, primarily by threat actors linked to Russian military intelligence (GRU). Initial targets included government, military, energy, and transportation organizations in Europe. The exploit requires no user action: simply receiving the malicious email triggers the vulnerability before the user even views it in the preview pane. CISA added this to the Known Exploited Vulnerabilities catalog on March 14, 2023, the same day Microsoft released patches.

The severity of this vulnerability stems from its zero-click nature and the immediate value of captured credentials. Attackers can relay stolen NTLM hashes to authenticate against other services in the victim's environment, including Exchange servers, file shares, and domain controllers. With a CVSS score of 9.8, this represents one of the most dangerous Outlook vulnerabilities disclosed in recent years.

Affected Versions

ProductAffected VersionsStatus
Microsoft 365 Apps for EnterpriseAll versions prior to March 2023 updatePatch Available
Microsoft Office 2019All versions prior to March 2023 updatePatch Available
Microsoft Office LTSC 2021All versions prior to March 2023 updatePatch Available
Microsoft Outlook 2016All versions prior to March 2023 updatePatch Available
Microsoft Outlook 2013All versions prior to March 2023 updatePatch Available

Patch Details:

Outlook for Mac, Outlook on the web (OWA), and Outlook mobile applications are not affected by this vulnerability. Only Windows-based Outlook clients are vulnerable.

What Being on an Affected Version Means

An attacker who exploits this vulnerability gains the victim's Net-NTLMv2 hash, which can be used in two primary ways. First, the hash can be cracked offline to recover the plaintext password, especially effective against accounts with weak passwords. Second, and more immediately dangerous, the hash can be relayed in real-time to authenticate against other services that accept NTLM authentication, including SMB shares, Exchange Web Services, and LDAP.

The attack path typically proceeds as follows: the attacker sends a malicious meeting invite to any user in the organization. When the victim's Outlook client processes the message, it connects to the attacker's SMB server and transmits credentials. The attacker then relays these credentials to access internal resources, potentially including the victim's mailbox via Exchange, sensitive file shares, or in environments without adequate NTLM relay protections, domain controllers. From a compromised mailbox, attackers can harvest additional credentials, access sensitive communications, and send malicious messages to other internal users to expand their foothold.

Mitigation Steps

  1. Apply the March 2023 security updates immediately. For Outlook 2016, install KB5002254. For Outlook 2013, install KB5002265. For Microsoft 365 Apps and Office LTSC, update through your standard deployment channel to builds released March 14, 2023 or later.
  1. Block outbound SMB (TCP 445) at your network perimeter. This prevents the NTLM hash from reaching attacker infrastructure even if a malicious message is processed. Also block outbound WebDAV connections if not required.
  1. Add privileged users to the Protected Users security group. Members of this group cannot authenticate using NTLM, rendering captured hashes unusable for those accounts.
  1. Run Microsoft's diagnostic script to identify any previously received malicious messages. Microsoft released a PowerShell script that scans Exchange mailboxes for items containing the malicious PidLidReminderFileParameter property: https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
  1. Enable SMB signing and enforce EPA (Extended Protection for Authentication) on Exchange and other internal services to prevent NTLM relay attacks.
  1. Monitor for indicators of exploitation:

This is a zero-click, actively exploited vulnerability with trivial exploitation requirements: patch Windows Outlook clients within 24 hours or implement network-level SMB blocking as an immediate compensating control.

Intelligence sourced from: Tenable Research

Concerned about your exposure?

Find out what's exploitable in your environment.

Request Free Assessment