The Canadian Centre for Cyber Security has released a warning to inform IT professionals and managers about a critical vulnerability present in Microsoft Outlook (CVE-2023-23397) that has been utilized by sophisticated actors in the wild. This vulnerability allows a malicious actor to send a specifically crafted email containing a dangerous payload, which automatically links the victim’s Outlook client to a UNC location under the actor’s control to acquire the Net-NTLMv2 user’s password hash, enabling further exploitation.
The Cyber Centre advises immediate patching, the blocking of TCP 445/SMB outbound, adding users to the Protected Users Security Group, limiting the use of NTLM, and frequently running a Microsoft-provided script to detect potentially harmful messaging items. Recipients who come across any activity similar to the alert’s content are urged to report it to the Cyber Centre.
Relevant URL: https://www.cyber.gc.ca/en/alerts-advisories/microsoft-outlook-zero-day-vulnerability-allowing-ntlm-credential-theft
