Microsoft Outlook security hole lets attackers in without opening a tainted message

Among the large batch of security patches that Microsoft released on Tuesday was an especially nasty hole within Microsoft’s Outlook email client, one that would allow an attacker full access by simply sending the user an email, even if the recipient chooses to not open the message.

If the attack is successful, the end user would have no way of knowing that they have been attacked. “You will not know. You will not experience anything,” said Michael Gorelik, the chief technology officer at Morphisec, the security firm that says it discovered the hole and reported it to Microsoft.

Gorelik said that the hole that was already patched did require that the attacker have email credentials for the attack to work.

But, he added, “Even if the attacker has email credentials, it does not mean he had access to the network or the computer. Any normal organization has to assume that some of its employees’ credentials are out by definition.”

After all, he pointed out, “If adversaries could execute code in the network by merely having email credentials, we would have 1000% more cases of ransomware compromise and we wouldn’t need initial access brokers.”

The risk is still there

Of far greater concern, Gorelik said, is that this flaw may indicate the existence of similar zero-click holes that Microsoft has yet to patch.

“There are at least two more confirmed CVEs that have yet to be patched, (both of) which lead to full NTLM [Network Trust Level Manager] compromise, so the risk is still there,” Gorelik told CSO Online on Wednesday. 

The hole, which Microsoft has dubbed CVE-2024-38173, allows any email malware to be activated without the recipient opening the message, courtesy of Outlook’s popular email preview function. But even for those who are not using mail preview, the malware is still likely to be activated, as most corporate employees would likely open those messages. They know to not open an unknown attachment or click on an unexpected link, but this attack methodology requires neither of those actions.

“The discovery of CVE-2024-38173 highlights a critical flaw in the form-based architecture of Outlook, where an attacker with access to an account can craft and propagate a malicious form that evades detection due to a faulty deny list implementation,” Gorelik said. 

Form security at fault

But Gorelik stressed that Tuesday’s patch does not likely resolve the vulnerability. 

“This vulnerability is the third in a series, indicating a persistent issue with Microsoft’s handling of form security. To mitigate the risk of exploitation, enterprises should enforce Kerberos authentication by default and block NTLM where possible,” he said. “Additionally, hardening endpoints and restricting certain protocols, such as SMB [server message block], are crucial steps.”

The problem with the remaining holes is that they all involve means of bypassing the Microsoft deny list, and to therefore allow a custom form to automatically execute, Gorelik explained. He suggested blocking all SMB outbound permissions as well as strictly enforcing SMB signing.

One strategy to defend against the issues, he said, is to leverage AMTD, which is a concept from Gartner called Automated Moving Target Defense, in which system configurations, network characteristics, or software are dynamically modified to disrupt attackers’ efforts to discover and exploit vulnerabilities.

It may get worse

The NTML matter is something that Microsoft has wrestled with before. And in its blog post, Morphisec offered ways that these problems could get much worse. 

It said that the holes leveraged “techniques to hijack and leak NTLM. Both vulnerabilities are critical, as attackers could theoretically chain them and build a full attack chain allowing the adversary complete control of the system without the need for prior authentication.”

This story has been updated with a clarification that the patched flaw required the attacker to have email credentials.