CVE-2023-23397
📋 TL;DR
CVE-2023-23397 is a critical elevation of privilege vulnerability in Microsoft Outlook that allows attackers to steal NTLM hashes without user interaction. When exploited, it enables credential theft that can lead to domain compromise. All Outlook users on affected versions are vulnerable.
💻 Affected Systems
- Microsoft Outlook
📦 What is this software?
365 Apps by Microsoft
Office by Microsoft
Office Long Term Servicing Channel by Microsoft
View all CVEs affecting Office Long Term Servicing Channel →
Outlook by Microsoft
Outlook by Microsoft
Outlook by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete domain takeover via NTLM relay attacks leading to lateral movement, data exfiltration, and ransomware deployment.
Likely Case
Credential theft enabling lateral movement within the network and privilege escalation.
If Mitigated
Limited impact with proper network segmentation, NTLM blocking, and monitoring in place.
🎯 Exploit Status
Exploitation requires sending a specially crafted email but does not require user interaction. Actively exploited in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: March 2023 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
Restart Required: Yes
Instructions:
1. Apply March 2023 Microsoft security updates via Windows Update. 2. For Microsoft 365 Apps, ensure automatic updates are enabled. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Block NTLM authentication
windowsPrevent NTLM authentication to block credential theft via this vulnerability
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictSendingNTLMTraffic" -Value 2
Disable WebDAV protocol handler
windowsRemove WebDAV protocol handler to prevent exploitation vector
reg delete "HKCR\PROTOCOLS\Handler\webdav" /f
🧯 If You Can't Patch
- Implement network segmentation to isolate Outlook clients and block outbound SMB traffic
- Enable SMB signing and disable NTLM authentication where possible
🔍 How to Verify
Check if Vulnerable:
Check Outlook version and verify March 2023 security updates are not installedCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify March 2023 security updates are installed via Windows Update history or systeminfo command📡 Detection & Monitoring
Log Indicators:
- Outlook process making SMB connections to external IPs
- Event ID 4624 with NTLM authentication from Outlook process
Network Indicators:
- Outbound SMB traffic from Outlook clients to external IPs
- NTLM authentication attempts from Outlook to unusual destinations
SIEM Query:
source="windows" (process_name="OUTLOOK.EXE" AND destination_port=445) OR (event_id=4624 AND logon_type=3 AND process_name="OUTLOOK.EXE")