CVE-2023-35311

What is Microsoft Outlook?

Microsoft Outlook is the world's most widely-deployed email client, used by hundreds of millions of users in enterprise environments globally. Outlook processes HTML email, calendar invitations, and embedded links daily on behalf of its users. It includes security features such as the "Microsoft Outlook Security Notice" — a dialog that warns users before they follow a URL or open a file type that could be potentially harmful. Bypassing this notice silently executes potentially malicious actions that would otherwise prompt user confirmation, making the bypass a valuable capability for phishing campaigns targeting Outlook users.

Overview

CVE-2023-35311 is a security feature bypass vulnerability in Microsoft Outlook that allows an attacker to suppress the Outlook Security Notice prompt when a user clicks a specially crafted URL in an email. This means a user who opens a malicious email and clicks a link receives no warning before the link is acted upon — removing a friction point in phishing and malware delivery chains. Microsoft patched it on July 11, 2023 (Patch Tuesday) as an actively exploited zero-day. CISA added it to the KEV catalog the same day.

Affected Versions

Technical Details

The vulnerability class (CWE-367 — time-of-check, time-of-use race condition) involves a race condition in how Outlook checks whether a URL requires the security notice dialog before processing it. By constructing a URL with specific timing characteristics or format features, an attacker can cause Outlook to pass the security check but then process a different or modified URL — a TOCTOU pattern where the check and the use apply to different effective values.

In practice, this means a crafted link in an email body causes Outlook to open a URI handler (such as a file share path, a ms-officecmd: URI, or another Windows URI scheme) without displaying the standard warning dialog. This can be used to:

• Silently trigger Net-NTLM hash leakage by opening a UNC path (enabling credential capture via tools like Responder)
• Launch protocol handlers that invoke external applications with attacker-controlled arguments
• Execute macros or scripts that would normally require user confirmation

The user interaction required is clicking the link in the email — which is the intended action in any phishing scenario and is not unusual for the victim.

Discovery

Microsoft credited Dominic Chell of MDSec. Active in-the-wild exploitation confirms the bypass was being used in real phishing campaigns before the patch.

Exploitation Context

CVE-2023-35311 was one of five zero-days in the July 2023 Patch Tuesday release — alongside CVE-2023-32046 (MSHTML EoP), CVE-2023-32049 (SmartScreen bypass), and CVE-2023-36884 (Office/Windows HTML RCE). This cluster of Outlook and Windows zero-days targeted the phishing delivery chain: bypassing security notices removes the last friction point between a phishing email and successful malware execution. The threat group Storm-0978 (RomCom) was active with similar capabilities in this timeframe.

Remediation

1. Apply July 2023 Microsoft Office/Outlook security updates — via Windows Update, Microsoft Update, or the Microsoft Download Center.
2. Keep Microsoft 365 Apps on Current Channel — Microsoft 365 subscribers on Current Channel received the fix through automatic update; ensure auto-update is enabled.
3. Enable Microsoft Defender for Office 365 Safe Links — processes URL clicks through Microsoft's threat reputation checking, providing an additional layer even if local security notices are bypassed.
4. Block commonly abused URI schemes via Outlook/Exchange policy where they are not needed — protocols like ms-officecmd:, search-ms:, and UNC path auto-resolution via Group Policy can reduce the exploitable attack surface.
5. Monitor for unusual Outlook-spawned processes — security notice bypasses that trigger external applications will appear as Outlook spawning unexpected child processes, which EDR tools can detect.