BI.ZONE CESP swiftly responds to protect Outlook users against CVE-2023-23397

Adversaries are now exploiting a new Microsoft Outlook vulnerability to steal user credentials. BI.ZONE CESP protects the users who can’t update the email client

April 6, 2023

In March 2023, Microsoft announced a vulnerability that enabled cybercriminals to compromise Outlook accounts. The vendor labeled the vulnerability CVE-2023-23397 and rated its severity at 9.8 out of 10 on the CVSS scale.

The attack leads to an unauthorized authentication.

The user receives a message with a calendar item or a task that refers to a UNC path controlled by the adversaries. This value is specified in PidLidReminderFileParameter which provides the location of the audio file to be played when an Outlook reminder becomes overdue for a specific event or task.
Even if the user does not confirm participation in an event or accept a task, the victim’s Outlook client contacts an illegitimate server.
The illegitimate server requests NTLM authentication.
The victim’s Outlook client sends the first NTLM hash with the victim’s name and general information (all in Base64).
The adversaries obtain credentials for authentication.

In other words, the attackers generate an illegitimate file with .msg extension where they specify the following parameters and their values:

PidLidReminderOverride = true; permission to set a user audio file for a reminder
PidLidReminderFileParameter = ""; the value specifying the path to the adversaries’ sever

This way they initiate an NTLM relay attack followed by obtaining the NTLM hash and compromising credentials. Microsoft has already released a special update addressing the described attack. However, not all companies are ready to install patches as soon as they become available.

The BI.ZONE CESP team has quickly developed a detection mechanism against the new vulnerability. The mechanism scans messages and attachments for CVE-2023-23397 even before they appear in the user’s inbox. All clients of the BI.ZONE CESP service already have the mechanism automatically installed, so their email cannot be compromised by attackers.

When we first learned about the vulnerability in Microsoft email client, we immediately estimated how much damage it could cause. That’s why the BI.ZONE CESP team quickly created filtering rules that protect our clients from this vulnerability.

Muslim Medzhlumov

Chief Product and Technology Officer, BI.ZONE

@media only screen and (min-width: 320px) and (max-width: 370px) { .articleDetail .quote__authorName, .articleDetail .quote__text, .eventProgramm__date, .eventProgramm__title, .fs-h5, .h5, .headBlock__text, .headSection--news .headSection__text, .headSection__text, .newsDetail .quote__authorName, .newsDetail .quote__text, .participants__title, .popup__title, .sectionFullImage__text, .stepList .button, .stepList .button span, .stepList__title, .toggleBox .iconLine__title, .toggleBox__title, div.card__title, div.cFiltered__length, div.productDetail__subtitle, div.review__authorName, div.timer__title, div.toggleBox .iconLine__title, div.toggleBox__title, div.toggleEvent__bannerTitle, div.v-banner__title, h5 { font-size: 20px; line-height: 22px; } }