Volume 28 Issue 7

Today's Highlights »

• Zero-Day Exploit in Outlook
• Links in Outlook open in Edge

Zero-Day Exploit in Outlook

Microsoft announced a zero-day vulnerability in Outlook earlier this week and all supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.

The exploit is triggered by a specially-crafted messages and uses SMB/TCP port 445 to get NTLM authentication and gain access to other network services. No user interaction is required.

Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages.

Organizations with on-premise mailboxes or services are at risk.

Recommended fixes to reduce vulnerability:

1. Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM.
2. Block TCP 445/SMB outbound at the perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.

Microsoft's articles on the exploit are here:
CVE-2023-23397 - Security Update Guide - Microsoft - Microsoft Outlook Elevation of Privilege Vulnerability
Microsoft Mitigates Outlook Elevation of Privilege Vulnerability | MSRC Blog | Microsoft Security Response Center

Links in Outlook open in Edge

Microsoft is implementing a change Outlook and Edge where links in Outlook will open by default in Edge, not in your default browser (assuming it is not Edge. If you want the links to open in your default browser, you need to change a setting in Outlook's File > Options > Advanced > Link handling.

It will roll out to consumers with Personal or Family subscriptions first, beginning with the Office Insiders (beta) before rolling out to all consumers in the coming weeks. Eventually, it will turn up in business accounts.

Time will tell if this is flop or welcome change, but my money is on flop, especially since it changes the behavior users expect.

Microsoft has these two articles on this new features.
Stay in your flow with Microsoft 365 on Microsoft Edge
Multitask smarter with Microsoft 365 and Edge | Microsoft 365 Blog

New & Updated Microsoft 365 & Exchange Server Support Articles

EWS web application pool stops after the February 2023 Security Update is installed

An exception is returned while opening a template in the Exchange Toolbox

EWS does not respond and returns an exception

Get-App and GetAppManifests fail and return an exception

EEMS stops responding after TLS endpoint certificate update

You can’t access Toolbox on Exchange after enabling EnableSerializationDataSigning

Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 14, 2023 (KB5024296)

"Cannot Send Mail - Your mailbox is full" error when you use iPhone mail to send very large attachments (KB5004622)

New & Updated Outlook Support Articles

Description of the security update for Outlook 2016: March 14, 2023 (KB5002254)

Description of the security update for Outlook 2013: March 14, 2023 (KB5002265)

March 2023 updates for Microsoft Office

Outlook unexpectedly opens a browser window if OWA is disabled

Problems syncing shared calendars when enabling "Can view title and location" permissions

Your Microsoft account, your data, your choices

You cannot change a user's categories when you work as a delegate in Outlook
Describes an issue in which you cannot make changes to categories as a delegate in another user's Inbox or Outlook folder in Outlook. Provides a resolution.

Other Resources

Change Appointment Reminder Sounds
Did you ever wonder if you could assign different reminders to different types of Microsoft Outlook appointments? Yes, you can! You can also change the reminder sound for tasks and flags.