Get Help Now

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:


    Date: 3/16/2023


    Critical Outlook Elevation of Privilege Vulnerability


    Among the recent monthly Microsoft updates was a patch for CVE-2023-23397, an Elevation of Privilege Vulnerability in MS Outlook. Exploitation is very easy and occurs by sending a specially crafted calendar appointment which is processed by Outlook even before a user opens or previews it.

    Potential Impact

    When the malicious appointment is processed by Outlook, a user’s NTLMv2 hash can be sent to a location specified by attackers. The hash could then be used in an NTLM Relay attack against another service to authenticate as the user. Evidence shows that ransomware actors have exploited this to establish a foothold within target networks. Exploitation attempts are likely to become very common quickly.

    Recommended Actions

    First and foremost: ensure that the available patches are applied throughout your network. Additionally, Internet-bound SMB/port 445 traffic should be blocked at the network perimeter to prevent hashes being sent during exploitation. Consider adding users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism.

    Microsoft has also released scripts to check for mail items exploiting this vulnerability for on premises and Exchange Online environments.

    Scripts are available here:

    FAQ From Microsoft:

    According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability?

    An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.

    Is the Preview Pane an attack vector for this vulnerability?

    The attacker could exploit this vulnerability by sending a specially crafted email that triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.

    How could an attacker exploit this vulnerability?

    External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker, who can then relay this to another service and authenticate as the victim.

    Where can I find more information about NTLM relay attacks?

    Download Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2. This document discusses Pass-the-Hash (PtH) attacks against the Windows operating systems and provides holistic planning strategies that, when combined with the Windows security features, will provide a more effective defense against pass-the-hash attacks.


    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Number of Employees - select one:
      Industry - select one:

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.

      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Consent to display content from - Youtube
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us