One of the first major security vulnerabilities of 2023 has hit, and it’s a massive one. This Outlook exploit allows remote attackers to steal a user’s Windows password by simply sending them an email.
Let’s review what this exploit does, why it’s so dangerous, and what we’ve done to protect our clients.
The Outlook Exploit
On Microsoft’s March 14th Patch Tuesday, the company fixed a vulnerability in Microsoft Outlook labeled CVE-2023-23397. This is a zero-day exploit (an important security term to know) that allows an attacker to retrieve someone’s Windows credentials by sending an email with malicious code embedded.
Critically, this bug does not require any user interaction to exploit. With most email attacks, the recipient has to take an action, such as opening an attachment, to give the malicious actor access. But in this case, the action all happens on the email server side, so the recipient doesn’t even need to open the message in Outlook’s Preview Pane to start the process.
This issue only affects the desktop version of Outlook for Windows. Other Outlook offerings like the Android and iPhone apps, and Outlook’s web app, are not affected.
How This Outlook Attack Works
This attack allows the bad actor to retrieve the user’s password, but not directly. It relies on an outdated security protocol called NTLM, or New Technology LAN Manager. Since 2010, Microsoft has recommended against using this protocol, but many applications still use it for compatibility with legacy systems.
Victims of the attack don’t have their password stolen in plain text. Instead, the attacker uses NTLM to gain access to the hash of the user’s password. We’ve explained what hashing is in our guide to how websites keep your password secure.
In short, hashing is a mathematical operation that’s easy to do one way, but extremely difficult to perform in the reverse. For example, if your password is “abc123”, the hash might become “r2%^Z9”. When you type your password to log into a website, it transmits the hashed version so the site can check if your password is correct without actually transmitting your password.
An attack known as “pass the hash” allows someone with the hash of a user’s password to bypass authentication, as if they had the person’s password. When the server asks for the user’s password, the attacker can provide the hash to log in as that person. This is a known vulnerability in NTLM, and there’s no perfect mitigation option—many of them are disruptive to other normal business processes.
Use Cases for the Attack
As with many publicly revealed attacks, it didn’t take long for proof-of-concepts utilizing this exploit to circulate. Given the popularity of Outlook and simplicity of the exploit, the number of potential victims is enormous.
Microsoft reported that Ukraine’s Computer Emergency Response Team reported this, and they have seen attacks exploiting this bug by Russian actors against European systems.
The potential damage that an attacker could do with a user’s password hash is massive, especially if the victim is an executive at the company. They could impersonate the victim and thus compromise internal email discussions. Attackers could also use these credentials to plant malware on a company’s machines, stealthily gather information to plan a wider attack, and similar.
Unlike many attacks, this one can’t be guarded against by educating employees and using strong passwords. And as with all password compromises, a victim is more vulnerable if they reuse the stolen password on multiple sites.
Our Response to the Exploit
On March 17, within three hours of learning about proof of concept exploits taking advantage of this bug, Next7 IT ran an update prompt to patch Outlook on all systems. This critical patch from Microsoft will protect against the vulnerability on patched systems in a less disruptive way than the stop-gap methods Microsoft recommended earlier in the week.
As we’ve seen, this is a nasty exploit due to its wide attack surface and ease of deploying. It illustrates the importance of proactive IT support; our clients didn’t have to risk days or weeks without being protected from this issue.