Fortra’s Alert Logic is actively researching CVE-2023-23397, a Microsoft Outlook 365 vulnerability that allows attackers to breach systems. The attack is triggered by a malicious email that is launched automatically once processed by the Outlook client and does not need to be opened by the recipient. The attacker can then leak the victim’s NetNTLMv2 hash as the basis of an NTLM Relay attack and authenticate as a legitimate user.
Who is affected?
Customers using the 32- and 64-bit versions of Microsoft 365 Apps for Enterprise, Office 2013, 2016, 2019, and LTSC 2021 are all affected by this vulnerability.
What can I do?
Microsoft recommends adding users, including Domain Admins, to the “Protected Users Security Group” to prevent the use of NTLM as an authentication mechanism. Admins should also block TCP 445/SMB outbound from your network.
How is Alert Logic helping me?
Alert Logic is actively researching this threat to build detection capabilities. Alert Logic appliances and infrastructure are not affected by this vulnerability.
Network IDS: Alert Logic has deployed IDS signatures to detect exploit attempts for this vulnerability and aid in further detection research.
Vulnerability Scanning: Alert Logic released scan coverage on March 13, 2023, by 21:00 CST to identify this vulnerability. An authenticated scan performed after this release will check for the version of Microsoft. If a vulnerable version is found, an exposure will be raised for CVE-2023-23397.
Alert Logic has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
03/23/2023: Alert Logic deployed IDS signatures on March 22 to detect exploit attempts for this vulnerability and aid in further detection research.