brad-atkin-doeren-mayhew

By Brad Atkin, CPA, CISA, CITP – Shareholder, IT Advisory and Security Group

Used by over a million customers worldwide, Microsoft Outlook is at the core of communication, productivity and effectiveness for most companies globally. Recently, Microsoft announced a critical weakness of Microsoft Outlook, patching a zero-day vulnerability.  

A zero-day vulnerability is a disclosed weakness in a system or device that has yet to be patched. These are dangerous to users as cybercriminals race to exploit these vulnerabilities before systems are patched.  

The Impact

The most recent Microsoft Outlook vulnerability is concerning as the exploit is triggered upon receipt of a malicious email. The vulnerability allows the attackers to steal Windows New Technology LAN Manager (NTLM) authentication hashes by sending malicious Outlook notes or tasks to the unsuspecting victim. An attacker will use these hashes to attempt to access other systems and data on the network. The exploit triggers automatically when retrieved and processed by the Outlook client. With no interaction required, the user does not have to open the email or even preview it to be affected.  

The risks of a vulnerability like this are far-reaching. They include the breach of core IT systems, distribution of malware, business email compromise and disruption of business operations. This vulnerability will require substantial efforts to mitigate and remediate. Any company, regardless of size or type, could be impacted if they currently use supported versions of Outlook for Windows. Those using Outlook for the web or instances running on Android, iOS, or Mac are not believed to be impacted. 

What To Do Now

Microsoft released its latest round of security updates for Microsoft users, which all users should apply immediately. You should also complete the impact assessment to determine if your organization was targeted. This will allow you to check the PidLidReminderFileParameter property of messages in your organization’s users’ mailboxes. If any objects are detected, check them to identify if they are malicious. If they are, they can be removed, or the property can be cleared. If no objects are detected, malicious messages were not present. 

If your organization is unable to apply the security updates, Microsoft also released some workaround mitigations that include taking the following steps: 

  • Add user accounts, starting with Domain Administrators and other privileged accounts, to the Protected Users Security Group to prevent the use of NTLM for authentication. 
  • Block outbound TCP 445/SMB using a firewall or through VPN settings.  

Here to Help

Doeren Mayhew’s dedicated IT Advisory and Security Group works closely with management teams to identify risks and implement strategies to help avoid costly situations. Our team of experts can scan your network to identify which systems remain vulnerable to Outlook exploitation and help you develop a plan to address them. We stay on top of these threats, so you have the latest information impacting your business. For more information or to speak with an advisor, contact a cybersecurity advisor today.