Safeguard
Vulnerability Analysis

Outlook NTLM hash leak zero-day (CVE-2023-23397)

A zero-click Outlook flaw let attackers steal NTLM hashes via crafted calendar reminders — exploited by APT28 for a year before patching. Here's what to do.

Michael
Cloud Security Architect
7 min read

In March 2023, Microsoft disclosed a critical Outlook vulnerability that required no user interaction, no malicious attachment click, and no macro execution — just the act of an email arriving in an inbox. CVE-2023-23397 is an elevation-of-privilege flaw in Microsoft Outlook for Windows that lets an attacker steal a user's Net-NTLMv2 hash by sending a specially crafted email or calendar invite. Outlook processes a hidden reminder property in the message, reaches out to an attacker-controlled server over SMB, and leaks authentication material before the victim ever opens the message. Microsoft and CERT-EU linked active exploitation of this bug to the Russian state-sponsored threat actor tracked as APT28 (Forest Blizzard, Fancy Bear, STRONTIUM), which used it against European government, military, energy, and transportation targets for nearly a year before a patch existed. It is one of the cleaner recent examples of a "zero-click" vulnerability that turns a mail client into a credential-harvesting beacon, and it remains a high-value target for opportunistic attackers scanning the internet for unpatched Exchange and Outlook deployments.

What the Vulnerability Actually Does

Outlook items — emails, tasks, and calendar appointments — support a reminder-sound property called PidLidReminderFileParameter, along with a companion flag (PidLidReminderOverride) that lets the sender specify a custom path to the sound file. Under normal use this stays local. CVE-2023-23397 abuses the fact that Outlook will accept a UNC path (e.g., \\attacker-controlled-ip\share\file.wav) in that field.

When Outlook processes the reminder — which happens automatically as part of calendar sync and message handling, often before the user has clicked anything — Windows attempts to authenticate to that remote SMB share using the current user's credentials. That authentication handshake is where the damage happens: the client sends an NTLM negotiation message containing the user's Net-NTLMv2 hash to the attacker's listener. The attacker doesn't need the plaintext password. They can:

  • Relay the captured NTLM hash to another service (Exchange, AD FS, or any system that accepts NTLM authentication) to authenticate as the victim, often without ever cracking it, or
  • Crack the hash offline to recover the plaintext password.

Because the trigger fires during background message processing, this qualifies as a zero-click vulnerability. No preview pane, no click, no attachment execution — just receipt and normal Outlook processing of the item is enough.

Affected Versions and Components

CVE-2023-23397 affects Microsoft Outlook for Windows specifically, across all currently supported versions at time of disclosure:

  • Microsoft Outlook 2013 (SP1)
  • Microsoft Outlook 2016
  • Microsoft Outlook 2019
  • Microsoft Outlook 2021
  • Microsoft 365 Apps for Enterprise (32-bit and 64-bit)

Notably not affected: Outlook for Android, Outlook for iOS, Outlook for Mac, and Outlook on the web (OWA) — the vulnerability depends on Windows-specific handling of UNC paths and NTLM authentication, which these platforms don't share. That distinction matters for prioritization: any organization with a significant Windows-based Outlook desktop footprint (which is most enterprises) was exposed regardless of mail platform (Exchange Online, Exchange on-prem, or hybrid).

CVSS, EPSS, and KEV Status

  • CVSS 3.1 Base Score: 9.8 (Critical) — the vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) reflects network-based access, low attack complexity, no privileges required, and no user interaction, with high impact to confidentiality, integrity, and availability.
  • EPSS: In the weeks following disclosure, EPSS scoring placed this vulnerability in the highest percentile of predicted exploitation probability, consistent with active, confirmed in-the-wild use before and after patch release. Given the value of the credential-theft primitive and the ease of weaponization, exploitation attempts remained widespread well past the initial disclosure window.
  • CISA KEV: Added to the CISA Known Exploited Vulnerabilities catalog on March 15/16, 2023, one day after Microsoft's patch, with a remediation deadline of April 4, 2023 for U.S. federal civilian agencies (BOD 22-01). Its KEV status alone should have been sufficient to trigger emergency patching cycles across any organization with a documented vulnerability management SLA tied to that catalog.

Timeline

  • April 2022: Microsoft and CERT-EU later assessed that APT28 began exploiting this flaw in the wild — nearly a year before public disclosure — targeting European government, military, energy, and transportation-sector organizations.
  • Throughout 2022: Continued targeted exploitation observed against European entities, largely undetected as a distinct vulnerability class at the time.
  • December 2022: CERT-EU reported suspicious activity and shared indicators with Microsoft, kicking off the investigation that identified the root cause.
  • March 14, 2023: Microsoft released the patch for CVE-2023-23397 as part of its March 2023 Patch Tuesday cycle, alongside a Microsoft Threat Intelligence Center (MSTIC) blog detailing APT28's exploitation.
  • March 15–16, 2023: CISA added CVE-2023-23397 to the KEV catalog; Microsoft published a PowerShell script to help defenders audit mailboxes for indicators of compromise.
  • Late March 2023: Public proof-of-concept exploit code appeared, and security researchers observed broad opportunistic scanning and exploitation attempts against unpatched systems well beyond the original nation-state target set.
  • June 2023: Security researchers (MDSec) disclosed that the original patch could be bypassed by manipulating file path formatting, leading Microsoft to issue follow-up fixes tracked as CVE-2023-29324 and CVE-2023-35636 — a reminder that "patched" needs periodic re-verification against variant research.

Remediation Steps

  1. Apply the March 14, 2023 security update immediately, and follow up with the June 2023 patches addressing the CVE-2023-29324 / CVE-2023-35636 bypass variants. Treat this as a KEV-tier emergency change, not a routine patch-cycle item.
  2. Run Microsoft's CVE-2023-23397 detection script against on-premises and hybrid Exchange environments to audit mailbox items (emails, calendar invites, tasks) for the malicious PidLidReminderFileParameter / PidLidReminderOverride properties, and remediate any flagged items.
  3. Force password resets and revoke sessions for any account where indicators of compromise are found, and treat the underlying NTLM hash as compromised — assume potential lateral movement or relay activity occurred.
  4. Block outbound SMB (TCP 445) at the network perimeter to prevent NTLM authentication attempts from reaching attacker-controlled infrastructure outside the corporate network. This is a durable mitigation against this vulnerability class generally, not just this specific CVE.
  5. Disable NTLM where feasible, or enforce Extended Protection for Authentication (EPA) on Exchange Server and other services that currently accept NTLM, reducing the value of a stolen hash even if one is captured.
  6. Add high-privilege accounts to the Protected Users security group or otherwise restrict NTLM usage for administrative and service accounts, which are the highest-value relay targets.
  7. Monitor for anomalous outbound SMB/NTLM authentication attempts originating from mail-processing infrastructure, and alert on Outlook client connections to unfamiliar external IP ranges.

How Safeguard Helps

Safeguard is built to catch exactly this class of high-severity, actively-exploited vulnerability before it becomes an incident, and to help teams triage it correctly when it lands in a scan. Griffin AI continuously correlates new CVE and KEV data against your actual software inventory — including client applications like Outlook — so a critical disclosure like this surfaces immediately with the right context, rather than being buried in a generic severity list. Reachability analysis helps prioritize by confirming whether the vulnerable component is actually deployed and reachable in your environment, cutting through alert fatigue when a CVSS 9.8 headline hits every dashboard at once. SBOM generation and ingest give security and IT teams a live, queryable inventory of installed Office and Outlook versions across the fleet, so "which machines still need patching" becomes a query instead of a manual audit. And where remediation involves configuration or dependency changes across infrastructure-as-code and CI/CD pipelines, Safeguard's auto-fix PRs can push the fix directly into version control, shrinking the gap between disclosure and full remediation — the exact window nation-state actors and opportunistic scanners both exploit.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.