Microsoft Urgent Outlook Vulnerability Notice

by | Mar 17, 2023 | Uncategorized

Microsoft Urgent Outlook Vulnerability Notice

March 17, 2023

On 3/14/23 Microsoft released patches to address a critical vulnerability found in Microsoft Outlook for Windows. This vulnerability affects only Microsoft Outlook for Windows. Other versions such as those for Android, iOS, Mac, and Outlook/M365 on the web are not affected.

CVE-2023-23397

Microsoft Outlook Elevation of Privilege (EoP) Vulnerability

CVSSv3.1: 9.8

This vulnerability may be triggered by an attacker that sends a crafted, expired appointment to a user. This will activate the reminder feature within Outlook for overdue appointments with no user interaction required.

The attacker-crafted appointment will exploit the path to the sound file that Outlook plays for a reminder when it is overdue, substituting a UNC (Universal Naming Convention) path within the message that leads to their own server. This will cause the Outlook client to send the user’s login name and their NTLM password hash to the attacker’s remote server.

This exploit does NOT require the recipient to interact with the appointment received from the attacker. The message will be processed behind the scenes, potentially leaving the user unaware that they have been compromised.

Mitigations

Detection and Response

  • Microsoft has made a script available that will review the Exchange environment to see whether a property is populated for a UNC path. The script can also be used to clean up the property for the malicious appointment reminders or even delete the items permanently.
  • https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/

Additional Resources

Try Cyber

by

March 15, 2025Try Cyber is a web application for cyber work role discovery and exploration. It provides the cyber curious free access to short 15-minute hands-on micro-challenges, where participants can experience a day-one internship as one of the ten supported NICE...

read more

PISCES Partner Guides Students With Autism to Cybersecurity Careers

by | Feb 16, 2023 | Uncategorized

PISCES Partner Guides Students With Autism to Cybersecurity Careers

February 16, 2023

Red MSU Denver – MSU Denver, a PISCES partner, writes about their program working with neurodiverse cybersecurity students.

Try Cyber

by

March 15, 2025Try Cyber is a web application for cyber work role discovery and exploration. It provides the cyber curious free access to short 15-minute hands-on micro-challenges, where participants can experience a day-one internship as one of the ten supported NICE...

read more

Training the Next Generation of Cyber Guardians

by | Nov 2, 2022 | Uncategorized

Training the Next Generation of Cyber Guardians

November 2, 2022

Domestic Preparedness – Executive director Steve Stein gives an overview of the program and some real cyber scenarios students have helped prevent.

Try Cyber

by

March 15, 2025Try Cyber is a web application for cyber work role discovery and exploration. It provides the cyber curious free access to short 15-minute hands-on micro-challenges, where participants can experience a day-one internship as one of the ten supported NICE...

read more

Eight Days Left to Apply for 2022 CyberForce Competition

by | Sep 22, 2022 | Uncategorized

Eight Days Left to Apply for 2022 CyberForce Competition

September 22, 2022

CyberForce Competition 2022

Registration is now open for the DOE’s 2022 CyberForce Competition® for both student teams and volunteers. Upon registering, you will be asked for your preference of in-person or virtual.

  • Want to know about what to expect if choosing in person at the Q Center? Visit the What to Expect at the Q Center page.
  • In-person benefits include demos of the Conquer the Hill: Reign Edition, networking with sponsors, industry, national laboratory staff, and federal partners, awards ceremony, 1:1 interaction with onsite volunteer (red and green) leads, onsite amenities, tours of nature trails, direct communication with competition staff pre-competition, and more…
  • Upon acceptance, a link to book in-person rooms will be sent.
  • The solar and energy storage scenario has been posted and can be found here.
  • Registration will close September 30. Be sure to register today.
Virtual Career Fair

All participants of the CyberForce® Program will be invited to join our virtual career fair held on October 12, 2022. Industry, national laboratories, and federal agencies will be in attendance to recruit for jobs and internships for their agencies. Interested in learning more or getting a booth, please email cyberforcecompetition@anl.gov.

Sponsorship

Calling all companies who are interested in investing in the next generation of their workforce! CyberForce has had over 2,000 participants and with various sponsorship tiers, you are sure to find yourself a great home and networking opportunity that fits your budget. Every tier has a career fair booth, and we welcome all companies to participate at the CyberForce Competition. Please reach out today if you are interested in learning more!

Try Cyber

by

March 15, 2025Try Cyber is a web application for cyber work role discovery and exploration. It provides the cyber curious free access to short 15-minute hands-on micro-challenges, where participants can experience a day-one internship as one of the ten supported NICE...

read more

Cybercriminals Targeting Resource-Poor Local Governments

by | May 26, 2022 | Uncategorized

Cybercriminals Targeting Resource-Poor Local Governments

May 26, 2022

MeriTalk’s Grace Dille discusses how smaller state and local governments (SLGs) often do not have the resources to build a robust IT department, and how cybercriminals often target these smaller agencies.

Try Cyber

by

March 15, 2025Try Cyber is a web application for cyber work role discovery and exploration. It provides the cyber curious free access to short 15-minute hands-on micro-challenges, where participants can experience a day-one internship as one of the ten supported NICE...

read more

The No. 1 Problem in Cybersecurity

by | Mar 1, 2022 | Uncategorized

The No. 1 Problem in Cybersecurity

March 1, 2022

RANE Insights Podcast – In this episode of the RANE Insights podcast, Greg Radner speaks with Michael Hamilton at Critical Insight Security about the challenges of defending against ever-increasing cybersecurity threats amid a revolution in work habits.

Try Cyber

by

March 15, 2025Try Cyber is a web application for cyber work role discovery and exploration. It provides the cyber curious free access to short 15-minute hands-on micro-challenges, where participants can experience a day-one internship as one of the ten supported NICE...

read more