Zero-Click Outlook RCE Exploits: New Details and Disclosures

Security researchers have revealed technical details about two now-patched security flaws in Microsoft Windows that could be exploited by threat actors to achieve remote code execution on the Outlook email service without any user interaction. The vulnerabilities, CVE-2023-35384 and CVE-2023-36710, were addressed by Microsoft in August and October 2023, respectively. CVE-2023-35384 is a bypass for a critical security flaw that Microsoft patched in March 2023, and it can be used to steal NTLM credentials and conduct a relay attack. The vulnerabilities can be chained together to create a full zero-click remote code execution exploit against Outlook clients. Organizations are advised to use microsegmentation to block outgoing SMB connections to remote public IP addresses and to disable NTLM or add users to the Protected Users security group to mitigate the risks.