Outlook Vulnerability Discovery and New Ways to Leak NTLM Hashes
18-Jan-24
Varonis Threat Labs discovered a new Outlook vulnerability (CVE-2023-35636) among three new ways to access NTLM v2 hashed passwords by exploiting Outlook, Windows Performance Analyzer (WPA), and Windows File Explorer.
With access to these passwords, attackers can attempt an offline brute-force attack or an authentication relay attack to compromise an account and gain access. One of Outlook’s features is the ability to share calendars between users. However, this feature can be exploited, as discovered by Varonis Threat Labs, by adding a few headers in an email to trigger an attempt to authenticate, redirecting the hashed password.
Microsoft has recognized the exploit for Outlook as an “important” CVE-2023-35636, rated 6.5, and issued a patch for CVE-2023-35636 on December 12, 2023.
