A severe security flaw is currently plaguing the widely-used Microsoft Outlook/365 suite, necessitating immediate patching. The vulnerability, identified as CVE-2023-23397 with a CVSS score of 9.8, enables remote and unauthorized attackers to compromise systems simply by sending a tailored email that snatches the recipient’s credentials.
Alarmingly, the victim isn’t required to open the malicious email. According to Microsoft’s guidance on this Microsoft 365 vulnerability, the email automatically activates when the Outlook client retrieves and processes it. Consequently, exploitation can occur even before the email appears in the Preview Pane.
This critical vulnerability impacts both 32-bit and 64-bit Microsoft 365 Apps for Business & Enterprise, as well as Office 2013, 2016, and 2019 (including LTSC). The attack is initiated by a malicious email that prompts a connection from the victim to an attacker-controlled location. This action reveals the victim’s Net-NTLMv2 hash (used for authentication in Windows environments) to the attacker, who can then utilize it to access another service while impersonating the victim.
In summary, the mere presence of a malicious email jeopardizes your security, making this an extremely dangerous vulnerability.
Fortunately, for our proactive support customers, including our Assurance customers we have already taken the necessary steps to patch this vulnerability, ensuring your systems remain secure and protected against this exploit.