Trellix warns about new Outlook cybersecurity vulnerability that is triggered by calendar invites

Cybersecurity company Trellix has found a new Outlook security vulnerability, which can grant attackers unfettered access to critical servers. Codenamed CVE-2023-23397, this vulnerability can compromise domains by using leaked NT LAN Manager (NTML) credentials from Outlook. NTML is a suite of Microsoft security protocols for authentication and confidentiality. 

The CVE-2023-23397 vulnerability is the latest in the history of exploits that date back to 2017. This vulnerability allows attackers to leak the credentials by sending a malicious calendar invite to a victim. The CVE-2023-23397 vulnerability is triggered by any Outlook entity that is in the .msg format and has support for invite reminders. 

When an attacker sends the victim a calendar appointment with the custom reminder sound location, the victim’s Outlook client attempts to authenticate with the compromised server to fetch the reminder sound that is done using NTML authentication. This process causes the victim to leak their NTLM credentials to the attacker.

“This vulnerability is exceedingly easy to exploit and has already been observed being leveraged in the wild. Additionally, the victim does not have to directly interact with the e-mail containing the malicious event at all. Interaction with the preview pane is not required,” said the report.

As per the report, there have been several confirmed attacks using this vulnerability. Digital Forensics researchers have found active exploitation campaigns, including one against military contractors in Turkey. That said, more information is coming to light about active exploitation.

For organisations to safeguard themselves against this attack, Microsoft has released a script that can audit Exchange for malicious messages and remove them. The company also advises users to watch out for .msg files using PidLidReminderFileParameter. Users are also cautioned to note any abnormal logins from new or unrecognised internet protocol (IP) addresses. Microsoft also advises applying latest security and performing an audit of organisation’s Exchange server.