Microsoft Outlook Critical Privilege Escalation Vulnerability
Date of Notice: 03/15/2023
Action Level - Critical
Description
Microsoft has released updates addressing a critical privilege escalation vulnerability affecting Outlook for Windows. An attacker could craft an email to trigger this exploit without a user needing to open the email. Once exploited the attacker could access the user’s NTLM hash and ultimately authenticate to the target domain as the attacked user. Microsoft is aware of attackers currently exploiting this vulnerability in the wild.
Due to the critical nature of this vulnerability as well as the fact that it is being exploited, we recommend prioritizing updates on any affected systems as soon as possible.
Affected Versions
- Microsoft Outlook: LTSC 2021, 2019, 2016, 2013 SP1, 2013 RT SP1
- Microsoft 365 Apps for Enterprise
Attack Vector
An attacker could trigger this vulnerability by sending a specially crafted email. The user would not need to open or preview this email in order to trigger the vulnerability.
Attack Feasibility
This vulnerability is currently being exploited in the wild.
Mitigation
Microsoft suggests adding users to the Protected Users Security Group (which may impact some applications where NTLM is required) and blocking TCP 445 on your firewall and/or VPN configuration as partial mitigation.
Remediation
Update to a fixed version of Microsoft Outlook.
Vendor Resources
Microsoft Mitigates Outlook Elevation of Privilege Vulnerability (includes impact assessment script to look for exploit attempts in a MS Exchange on-prem or online environment)