Outlook: Calendar entry can steal password

25 January 2024
| No comments
Outlook: Calendar entry can steal password -AI

Share post

There is a new vulnerability in Outlook and three ways to access NTLM v2 hashed passwords. Access can be done through the calendar function and double headers via calendar entry. Experts have discovered the vulnerability and are warning about it.

Varonis Threat Labs discovered the new Outlook vulnerability (CVE-2023-35636) and three new ways to exploit it. This allows you to access the NTLM v2 hash passwords from Outlook, Windows Performance Analyzer (WPA) and Windows File Explorer. With access to these passwords, attackers can attempt an offline brute force attack or an authentication relay attack to compromise an account and gain access.

Unpatched systems at risk

Microsoft disclosed these vulnerabilities and existing exploits in July 2023. Since then, Microsoft has classified the WPA and Windows File Explorer vulnerabilities as “medium severity” and the Outlook 6.5 exploit as “important” (CVE-2023-35636). Microsoft subsequently released a patch for this CVE on December 12, 2023. Unpatched systems remain vulnerable to threat actors attempting to steal hashed passwords using the above methods.

What is behind CVE-2023-35636?

CVE-2023-35636 is an exploit that instructs the calendar sharing feature in Microsoft Outlook to add two headers to an Outlook email. This is intended to share content to contact a specific computer, which offers the possibility of intercepting an NTLM v2 hash. NTLM v2 is a cryptographic protocol used by Microsoft Windows to authenticate users to remote servers. While NTLM v2 is a more secure version of the original NTLM, v2 is still vulnerable to offline brute force and authentication relay attacks.

Leaking NTLM v2 hashes with Outlook

Outlook is the default email and calendar tool for the Microsoft 365 suite and is used by millions of people around the world for both business and personal purposes. One of Outlook's features is the ability to share calendars between users. However, this feature can be exploited, as Varonis Threat Labs discovered, by inserting some headers into an email to trigger an authentication attempt and redirect the hashed password.

Attack scenario

This exploit uses the same attack scenario as the other Windows File Explorer exploit.

  • An attacker creates a malicious link using the exploit described above.
  • To send the victim the malicious link, an attack may use email phishing, a fake website advertisement, or even send the link directly via social media.
  • Once the victim clicks on the link, the attacker can obtain the hash and then attempt to crack the user's password offline.
  • Once the hash is cracked and the password is obtained, an attacker can use it to log in to the organization as a user.

More protection against NTLM v2 attacks

There are several ways to protect against NTLM v2 attacks:

  • SMB Signing – SMB signing is a security feature that helps protect SMB traffic from tampering and man-in-the-middle attacks. It works by digitally signing all SMB messages. This means that if an attacker attempts to modify an SMB message, the recipient can detect the change and reject the message. SMB signing is enabled by default in Windows Server 2022 and later, and is available on Windows 11 Enterprise Edition (starting with Insider Edition). Preview Build 25381).
  • Block outbound NTLM v2 starting with Windows 11 (25951). Microsoft has that Added option to block outbound NTLM authentication.
  • If possible, enforce Kerberos authentication and block NTLM v2 at both the network and application levels.
More at Varonis.com

 

About Varonis

Since its founding in 2005, Varonis has taken a different approach than most IT security providers by placing company data stored both locally and in the cloud at the center of its security strategy: sensitive files and e-mails, confidential customer, patient and Employee data, financial data, strategy and product plans and other intellectual property. The Varonis data security platform (DSP) detects insider threats and cyber attacks through the analysis of data, account activities, telemetry and user behavior, prevents or limits data security breaches by locking sensitive, regulated and outdated data and maintains a secure state of the systems through efficient automation .,

 

Matching articles on the topic

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

Windows operating systems: Almost two million computers at risk

There are no longer any updates for the Windows 7 and 8 operating systems. This means open security gaps and therefore worthwhile and ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

DSPM product suite for Zero Trust Data Security

Data Security Posture Management – ​​DSPM for short – is crucial for companies to ensure cyber resilience against the multitude ➡ Read more

Data encryption: More security on cloud platforms

Online platforms are often the target of cyberattacks, such as Trello recently. 5 tips ensure more effective data encryption in the cloud ➡ Read more

PR News
, , , , ,