CVE-2023-23397 Explained: The Outlook Zero-Click NTLM Hash Theft Vulnerability

Outlook allows calendar events to include custom reminder sounds, specified as a file path in the PidLidReminderFileParameter property of the appointment. When a reminder fires, Outlook attempts to access the file at the specified path to play the custom sound.

CVE-2023-23397 exploits the fact that Outlook accepts UNC (Universal Naming Convention) paths in this field — paths in the format \\attacker-server\share\file.wav that reference files over the network. When Outlook's reminder handler attempts to access the UNC path, Windows initiates an SMB connection to the remote server. As part of standard Windows SMB authentication, Windows sends the victim's NTLM authentication hash to the remote server.

The attacker's SMB server captures this hash. The victim's NTLM hash can then be cracked offline to recover the plaintext password, or relayed directly to other internal services using NTLM relay attacks — authenticating to those services as the victim without needing the password at all.

Critically: this fires when the reminder triggers, not when the email is opened. A calendar event scheduled for a future date will fire its reminder when that date arrives — potentially days or weeks after delivery — even if the email is never read. The victim's email client processes the appointment metadata automatically upon receipt.

Microsoft credited the discovery of CVE-2023-23397 to the Computer Emergency Response Team of Ukraine (CERT-UA) and confirmed that APT28 (also tracked as STRONTIUM, Fancy Bear, and Forest Blizzard) had exploited it against at least 15 organizations across the European government, military, energy, and transportation sectors.

The earliest documented exploitation occurred in April 2022 — nearly a year before the March 2023 patch. APT28 used the vulnerability for initial access and lateral movement, harvesting NTLM hashes from multiple targeted victims and using them to authenticate into internal systems without needing to crack passwords.

The attack is particularly effective in corporate environments where NTLM authentication remains enabled for internal services. Windows environments commonly use NTLM for SMB file sharing, internal web applications running on IIS with Windows authentication, LDAP authentication to Active Directory, and various legacy application integrations. A single captured NTLM hash — if relayable — can provide access to multiple internal services.

The APT28 campaign demonstrated that credential theft vulnerabilities with zero interaction requirements represent a qualitatively different threat than traditional phishing campaigns, because there is nothing for security awareness training to intercept.

Microsoft released patches for all supported versions of Outlook for Windows on March 14, 2023. The patch prevents Outlook from following UNC paths in reminder sound fields. Several additional controls harden the environment against NTLM relay attacks even after patching.

CVE-2023-23397 represents a category of vulnerability that security awareness programs cannot defend against — because there is no action for a user to avoid. The victim does nothing wrong. They receive an email. Outlook processes it. The NTLM hash is gone.

The ten-month APT28 exploitation window demonstrates that sophisticated nation-state actors actively develop zero-click credential theft capabilities and deploy them with precision against high-value targets. The organizations targeted were not the result of opportunistic scanning — they were selected based on intelligence value.

The durable fix is: patch Outlook, block outbound SMB, and reduce NTLM dependency. As long as Windows environments rely on NTLM for internal authentication, captured hashes will provide value to attackers. Zero-click delivery mechanisms like CVE-2023-23397 make credential protection a network architecture problem, not just an endpoint problem.