Microsoft announced this week that a major vulnerability was discovered in Microsoft Outlook that allows an attacker to steal credentials without interacting with the user. When an attacker sends a specially crafted message to a vulnerable user, Outlook will process the message and attempt to connect to a remote server on port TCP/445 with the user’s NTLM credentials. The attacker can then use these credentials for privilege escalation or lateral movement. All versions of Outlook for Windows are affected. Mobile versions, Mac and Outlook on the web are not impacted. Additionally, since the attack harvests NTLM credentials, only those using Active Directory Domain Services are vulnerable. Organizations using systems joined only to Azure Active Directory are not impacted.
Interlink strongly recommends that clients take quick action to protect your environment.
- Block outgoing port TCP/445 at their firewall.
- Patch Outlook for Windows on all systems as soon as possible. Outlook patches can be accessed at CVE-2023-23397 - Security Update Guide - Microsoft - Microsoft Outlook Elevation of Privilege Vulnerability.
Microsoft’s blog post on the vulnerability can be access at Microsoft Mitigates Outlook Elevation of Privilege Vulnerability | MSRC Blog | Microsoft Security Response Center.
If you need assistance in applying patches or determining if your organization has been impacted, Interlink is ready to assist. Please reach out to your account manager or directly to our service desk at support@interlink.com or 800-900-1150.
