The following articles were included in our Exchange Messaging Outlook (EMO) newsletter published on March 16, 2023.
EMO is a weekly publication. To receive your own copy of EMO by email, subscribe here.
Support Exchange Messaging Outlook Sponsors
Increase Your Productivity!
ReliefJet Essentials for Outlook is a set of more than 160 tools for performing a wide range of tasks in Outlook: processing email messages, contacts, appointments, meetings, tasks and other Outlook items.
Today's Highlights »
Zero-Day Exploit in Outlook
Microsoft announced a zero-day vulnerability in Outlook earlier this week and all supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.
The exploit is triggered by a specially-crafted messages and uses SMB/TCP port 445 to get NTLM authentication and gain access to other network services. No user interaction is required.
Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages.
Organizations with on-premise mailboxes or services are at risk.
Recommended fixes to reduce vulnerability:
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM.
- Block TCP 445/SMB outbound at the perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
Microsoft's articles on the exploit are here:
CVE-2023-23397 - Security Update Guide - Microsoft - Microsoft Outlook Elevation of Privilege Vulnerability
Microsoft Mitigates Outlook Elevation of Privilege Vulnerability | MSRC Blog | Microsoft Security Response Center
Links in Outlook open in Edge
Microsoft is implementing a change Outlook and Edge where links in Outlook will open by default in Edge, not in your default browser (assuming it is not Edge. If you want the links to open in your default browser, you need to change a setting in Outlook's File > Options > Advanced > Link handling.
It will roll out to consumers with Personal or Family subscriptions first, beginning with the Office Insiders (beta) before rolling out to all consumers in the coming weeks. Eventually, it will turn up in business accounts.
Time will tell if this is flop or welcome change, but my money is on flop, especially since it changes the behavior users expect.
Microsoft has these two articles on this new features.
Stay in your flow with Microsoft 365 on Microsoft Edge
Multitask smarter with Microsoft 365 and Edge | Microsoft 365 Blog
New & Updated Microsoft 365 & Exchange Server Support Articles
EWS web application pool stops after the February 2023 Security Update is installed
An exception is returned while opening a template in the Exchange Toolbox
EWS does not respond and returns an exception
Get-App and GetAppManifests fail and return an exception
EEMS stops responding after TLS endpoint certificate update
You can’t access Toolbox on Exchange after enabling EnableSerializationDataSigning
New & Updated Outlook Support Articles
Description of the security update for Outlook 2016: March 14, 2023 (KB5002254)
Description of the security update for Outlook 2013: March 14, 2023 (KB5002265)
March 2023 updates for Microsoft Office
Outlook unexpectedly opens a browser window if OWA is disabled
Problems syncing shared calendars when enabling "Can view title and location" permissions
Your Microsoft account, your data, your choices
You cannot change a user's categories when you work as a delegate in Outlook
Describes an issue in which you cannot make changes to categories as a delegate in another user's Inbox or Outlook folder in Outlook. Provides a resolution.
Other Resources
Change Appointment Reminder Sounds
Did you ever wonder if you could assign different reminders to different types of Microsoft Outlook appointments? Yes, you can! You can also change the reminder sound for tasks and flags.