In Microsoft’s email software Outlook, there appears to be a vulnerability that cybercriminals can exploit to capture passwords of other users. The targeted individual simply needs to open a calendar invitation attached to a specifically crafted email. Following this action, Outlook transfers the NTLMv2 hash of the user’s password to a system controlled by the attacker, as explained by security researchers from Varonis in a recent blog post.
For the attack to succeed, the email sent to the target’s mailbox must have two specific headers. One informs Outlook that the message contains shared content, while the other header references a file on the attacker’s system—in the ICS format, which is a known iCalendar data format for exchanging calendar information.
When the target opens the calendar invitation in Outlook, the software attempts to authenticate itself to the attacker’s system to access the ICS file. In doing so, the NTLMv2 hash of the password is transmitted.
Passwords can be obtained through brute force Subsequently, the actual password can be determined, for example, through a brute force attack, the researchers explain. This could occur locally on an attacker’s system, leaving no traces in the network. However, there are also web tools with databases containing billions of NTLM hashes of known passwords. If the intercepted hash appears in these databases, the associated password can be determined even faster.
Moreover, the security researchers warn that an Authentication Relay Attack is possible using the NTLMv2 hash. This means the attacker could intercept the authentication request from the victim and use it to log in to a targeted system without needing to know the password in plaintext.
Outlook vulnerability patched, others not Microsoft released a patch for the security flaw, registered as CVE-2023-35636, on December 12, 2023, and classified it as “important” with a CVSS of 6.5. Varonis had reported the vulnerability to the company in July 2023, the researchers explain, along with two other security flaws in the Windows File Explorer and the Windows Performance Analyzer (WPA), which could also lead to the exposure of NTLMv2 hashes.
However, Microsoft closed the tickets for the latter two vulnerabilities due to their “moderate severity.” “These were not patched; according to Microsoft, this behavior was not considered a vulnerability,” said one of the Varonis security researchers to SC Media.
Towards the end of their report, the researchers share some possible protective measures to prevent the inadvertent leakage of NTLMv2 hashes. This includes, for example, blocking outbound NTLM authentications, which is now possible under Windows 11, as well as enforcing Kerberos authentication.