Following the recently published Outlook vulnerability in all versions of Microsoft Outlook for Windows (CVE-2023-23397), team Axon evaluated the risk and possible impact of potential exploitations.
Organizations are advised to update Microsoft Outlook for Windows in their environments to the latest version, additional details and recommended mitigations can be found in the advisory shared by email to Axon customers.
As always, you are welcome to contact the team for any further questions. Team Axon
Posted Mar 22, 2023 - 09:55 UTC
Investigating
Team Axon is aware of the newly discovered vulnerability, CVE-2023-23397, that affects Microsoft Outlook.
CVE-2023-23397 allows threat actors to steal NTLM credentials by sending a malicious email to a target user, which requires no user interaction. Threat actors can use the obtained NTLM hashes to get access to a target system by executing pass-the-hash attacks or cracking the hashes offline. CVE-2023-23397 impacts all supported versions of Microsoft Outlook for Windows. Outlook on the web and Microsoft 365 are not affected by this vulnerability.
Team Axon recommends applying the latest security updates from Microsoft immediately (released in the recent Patch Tuesday).
Additional mitigations that may be considered, taking into account the potential impact on the organization's operations, include: 1. Blocking outbound SMB connections to external addresses. This will prevent the sending of NTLM authentication messages to remote file shares. 2. Adding high-value accounts such as Domain Admins to the Protected Users Security Group prevents NTLM's use as an authentication mechanism (this may impact applications that require NTLM).
The team is actively monitoring the threat landscape for active exploitation of the vulnerability and will privately contact customers that are found to be affected as part of proactive threat hunting. The team will update on progress and upload threat-hunting queries to https://github.com/axon-git/rapid-response.