CVE-2023-23397, a critical vulnerability/0-day that impacts Microsoft Outlook.
Unlike other exploits we’ve seen in the past, this exploit is particularly dangerous because no user interaction is required to trigger the exploit.
Best thing to do is patch your systems immediately. Microsoft issued a patch on March 14th, 2023.
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397
How does it work?
Threat actors can use this vulnerability by just sending a malicious email and the user does not even need to open it!
From here, attackers capture Net-NTLMv2 hashes, which enable authentication in Windows environments.
LM-hashes is the oldest password storage used by Windows, dating back to OS/2 in the 1980’s. LM was turned off by default starting in Windows Vista/Server 2008, but might still linger in a network if there older systems are still used. The modern storage is NTLM hash (or just NTLM), which is misleading, as Microsoft refers to this as the NTHash.
The NTLM protocol uses the NTHash in a challenge/response between a server and a client. There are two versions, v1 and v2.
When the bad guys can crake your NTHash it allows them to potentially authenticate themselves as your users, escalate privileges, or further compromise the environment.
This has been a known exploit that Microsoft has continuously tried to stop since 2021.
Here is an old article from MacroSec’s Dharmik Karania, who now works for KPMG.