Outlook is a near ubiquitous communications application. Additionally, with so many social engineering/phishing tactics targeting users through their inboxes, vulnerabilities left unpatched often become an attractive threat vector. One of three Microsoft vulnerabilities recently disclosed by Varonis has the ability to steal hashed passwords through Outlook’s calendar invitation with just one click. This vulnerability was assigned CVE-2023-35636 and Microsoft distributed the patch on December 12, 2023. However, according to Varonis, two additional vulnerabilities remain that have not been addressed by the Redmond giant.
In the Outlook vulnerability, the attacker takes advantage of the Outlook calendar’s invitation function. When a user accepts the malicious invitation, Outlook shares the calendar details between the two computers and it’s in this process that the hashed passwords can be leaked. Essentially, all three vulnerabilities described by Varonis are leveraged to steal NTLM v2 hashes, but the Outlook calendar function has been classified as the most severe.
According to Varonis, there are two more vulnerabilities leveraged to steal NTLM v2 hashes worth noting. These include Windows Performance Analyzer (WPA), and Windows File Explorer (WFE). However, they do require more user interaction and Microsoft stated they do not consider them vulnerabilities and did not create a patch.
To protect against NTLM hash brute-force, systems administrators may wish to consider employing Kerberos for authentication instead of Microsoft’s NTLM v2. Kerberos authentication reduces the risk from brute-forcing hashed passwords. Additionally, keep patches and updates current. For more details, access SC Magazine or Varonis.