Microsoft have acknowledged a critical new zero-day vulnerability with Outlook, that does not require any user interaction with an email to be triggered.

Reported by the Ukrainian Computer Emergency Response Team (CERT) to Microsoft and graded 9.8/10 on the severity scale according the NIST, the exploit is believed to have already been used by a “Russia-based threat actor” in attacks against European targets across government, transport, energy and military sectors.

The exploit (CVE-2023-23397) abuses the way Microsoft Outlook attempts to follow links in emails to retrieve remote content, even before they’re opened or viewed in the preview pane – allowing a remote attacker’s server to request authentication via an old technology known as NTLM, and automatically receive poorly encrypted username and password details from Outlook. NTLM was officially retired by Microsoft after Exchange 2003, but the technology remains available in current versions.

This is dangerous because with a username, password and corresponding email address, hackers have effectively completed a credential theft without any interaction from the end user. Many users use their email account as a single-sign on for other applications, putting numerous other services at risk.

CVE-2023-23397 is not yet fully documented however Microsoft believe the vulnerability occurs “when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat-actor controlled server. No interaction is required.” Once a connection is made, the server sends the user a new technology LAN manager (NTLM) negotiation message which is relayed for authentication – none of which requires the user to even view the email itself.

The exploit affects only the Microsoft Windows version of the Outlook Desktop client. Outlook for Mac, the Outlook Web & Mobile Apps (as well as Outlook.com) are not affected – since these do not support NTLM authentication. Estimates vary but Outlook is said to be used by over 400 million users worldwide, in its various forms.

System administrators are advised to urgently patch with the latest Outlook updates from Microsoft within 24 hours.

Where this is not possible, system administrators are advised to add users to the Protected Users Security Group (blocking NTLM), or Block TCP 445/SMB outbound from network firewalls or via VPN settings, cutting off any NTLM authentication messages at the perimeter of your network. In both cases, Microsoft warn this may affect other services from working correctly.

 

For Cyber Security expertise and support, please contact Lineal’s Cyber Security Team today.

---

 

 

Outlook 2019 Web / Outlook.com

1. Open Outlook from your Office 365 Apps, and click the ‘Settings’ cog icon in the top right of your browser. Click ‘Automatic Replies’.

(If using Microsoft’s Outlook.live.com free personal service, you may need to click ‘View All Outlook Settings’ in your Settings tab for Automatic replies to be visible.)

2. Outlook will open your Autoreply settings. To turn on your Automatic replies, tick the top box labelled ’Send Automatic Replies’, and enter the text for your auto reply in the text box.

Choose the date and time period you wish your Out Of Office to remain active for, and when ready, click ‘OK’

 

---

 

 

Outlook 2019 (for Mac)

1. Open Outlook from your Applications, click ’Tools’ from the Menu Bar and select ‘Out Of Office’.

2. Outlook will open your Autoreply settings. To turn on your Automatic replies, tick the top box labelled ’Send Automatic Replies’, and enter the text for your auto reply in the top box.

Choose the date and time period you wish your Out Of Office to remain active for, and when ready, click ‘OK’.

 

---

 

 

Outlook 2019 (for PC)

1. Open Outlook and click to the ‘File’ Menu from the top toolbar.

2. From the ‘Info’ Tab click the ‘Automatic Replies/Out Of Office’ Button to open the Automatic Replies Window.

3. Click ’Send Automatic Replies’ at the top – choose the date and time period you wish your Out Of Office to remain active for, enter the message you wish to use for your Autoreply in the ‘Outside My Organisation’ text field, and click ’OK’.

 

---

Mac Mail

1. Open Mac Mail

2. Right click on the left hand navigation panel and select get Account Info.

OR – If you right click on a file stored in your own mailbox you will have a direct link to your Out of Office

3. Click ’Send Out of Office Replies’ – choose the date and time period you wish your Out of Office to remain active for, enter the message you wish to use for your Autoreply in the ‘Internal Reply and External reply’ text fields, and click the red close icon in the top left.

 

---

Gmail

1. Open Gmail in your web browser, and click the cog icon in the top right.

2. Open ’Settings’, click ‘See All Settings’ and scroll down to the section named ‘Vacation Responder’.

3. Switch Vacation Responder to ‘On’. Choose the date and time period you wish your Out Of Office to remain active for, enter the message you wish to use for your Autoreply in the text field, and click ‘Save Changes’.

 

---

 

Kerio Webmail

1. Sign in to Kerio Webmail, and click your email name in the top right of the browser window. Choose ‘Out Of Office’ from the dropdown Menu.

2. Tick ’Send Out Of Office Message’, choose the date and time period you wish your Out Of Office to remain active for, enter the message you wish to use for your Autoreply in the text field, and click ’Save’.

 

---

Yahoo! Mail

1. Sign in to Yahoo! Mail and click the cog icon in the top right corner of your browser to access your settings. Click ‘More Settings’

2. Click ‘Out Of Office’ Response from the left hand menu. Toggle the ‘Turn On Out-Of-Office Response’ Switch to ON.

3. Enter the to and from dates you wish your out of office to remain on for, enter the auto-response in the text box, and click ‘Save’.

 

---

Windows 10 Mail App

1. Open Mail and click the settings cog in the bottom right of the menu.

2. Select ‘Automatic Replies’ from the settings menu

3. Select your email account, toggle Automatic replies to ‘ON’ and enter text for your automatic reply for internal and/or external contacts.

---

 

For IT support advice and guidance, contact Lineal today.

iOS 11 users who updated their iPhones and iPads this week have been given a nasty shock, upon discovering Microsoft email services will no longer function correctly.

Apple are reported to be ‘working closely’ with Microsoft to resolve the issues – affecting compatibility with Microsoft Exchange 2016, Office 365 and Outlook.com – which display an error message informing users that their mail account “Cannot send mail. The message was rejected by the server.”

One week on from Apple’s flagship iPhone X launch, the problem leaves the tech giant with a public relations headache, as early adopters of the newest touchscreen operating system rush to complain online.

Until this recent development, Office 365 had proved hugely popular with iPhone and Mac users – allowing them to plug Microsoft cloud infrastructure, for dull company email and calendars behind the scenes, into their favoured Apple devices and applications for a a more enjoyable user experience.

Rubbing salt in the wound, Microsoft also published an official support warning on Tuesday, rather mischievously entitled: “You can’t send or reply from Outlook.com, Office 365, or Exchange 2016 in iOS 11 Mail.app”. According to MacRumors, beta testers (including engineers at Lineal) were raising the Microsoft email service problem as early as July, although it appears to be unresolved by Apple’s developers.

Users urgently needing email are advised to download the Outlook for iOS app from the App Store as a lifesaving alternative, suffer a more Microsoft branded email experience, and await rescue from Apple bug fixers.