Microsoft Office Outlook Vulnerability (CVE-2023-23397) Appearance and Manual Measure Guide

AhnLab Security Emergency response Center (ASEC) recently published a notice about a Microsoft Office Outlook vulnerability.

CVE-2023-23397 is a vulnerability that leaks a user’s account credentials upon receiving an email and triggering a notification. The stolen information includes the ‘NTLM’ hash value, which contains the password hashing information for the logged-in account. Threat actors can exploit this information for internal propagation and further compromise of the system.

The application of security patches is essential to prevent the exposure of vulnerabilities, but the team has confirmed that manual measures can be taken by disabling the ‘Reminder’ feature of MS Outlook.

As depicted in the figure below, the notification feature in the email that creates the vulnerability is active, and the malicious address where the stolen information is transferred can be seen here.

Figure 1. Server address of the email (POC) that causes the vulnerability

The following manual measure can be taken.

  • Options > Advanced > Reminders > Disable ‘Show reminders’

The notification feature can no longer be used when this feature is disabled, but it can prevent the vulnerability from occurring. However, caution is advised as the vulnerability can still be triggered if the sound is played by checking ‘Play this sound’ on the malicious email.

The Reminders feature is located in the following area in Microsoft 365 (Outlook 365).

Figure 2. Microsoft 365’s Reminders setting

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 3 votes
Article Rating
Notify of

1 Comment
Inline Feedbacks
View all comments

[…] post Microsoft Office Outlook Vulnerability (CVE-2023-23397) Appearance and Manual Measure Guide appeared first on ASEC […]