CVE-2023-23397 Explained: The Outlook Zero-Click NTLM Hash Theft Vulnerability
A CVSS 9.8 zero-click vulnerability in Microsoft Outlook for Windows that leaks NTLM hashes to an attacker's server through a malicious calendar invitation, no user interaction required. Exploited by APT28.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2023-23397 is a critical zero-click vulnerability in Microsoft Outlook for Windows that enables an attacker to steal a victim's NTLM authentication hash simply by sending them a malicious calendar invitation. The patch was released March 14, 2023, but Microsoft and Ukraine's CERT-UA confirmed that APT28 (Fancy Bear, a Russian state-sponsored threat group) had been exploiting this vulnerability against European government, military, energy, and transportation organizations since at least April 2022, a ten-month zero-day window.
The vulnerability requires no user interaction beyond receiving the email. The victim does not need to open the message, click any link, preview the attachment, or enable any features. The exploit fires automatically when Outlook processes the reminder associated with the meeting invitation.
How CVE-2023-23397 Steals NTLM Hashes Without Any Clicks
Outlook allows calendar events to include custom reminder sounds, specified as a file path in the PidLidReminderFileParameter property of the appointment. When a reminder fires, Outlook attempts to access the file at the specified path to play the custom sound.
CVE-2023-23397 exploits the fact that Outlook accepts UNC (Universal Naming Convention) paths in this field, paths in the format \attacker-server\share\file.wav that reference files over the network. When Outlook's reminder handler attempts to access the UNC path, Windows initiates an SMB connection to the remote server. As part of standard Windows SMB authentication, Windows sends the victim's NTLM authentication hash to the remote server.
The attacker's SMB server captures this hash. The victim's NTLM hash can then be cracked offline to recover the plaintext password, or relayed directly to other internal services using NTLM relay attacks, authenticating to those services as the victim without needing the password at all.
Critically: this fires when the reminder triggers, not when the email is opened. A calendar event scheduled for a future date will fire its reminder when that date arrives, potentially days or weeks after delivery, even if the email is never read. The victim's email client processes the appointment metadata automatically upon receipt.
Craft malicious appointment
Create an Outlook calendar invitation where the PidLidReminderFileParameter property is set to a UNC path pointing to an attacker-controlled SMB server, such as \\attacker.example.com\share\file.wav.
Deliver to victim
Send the malicious .MSG file as an email attachment, or deliver it as a meeting invitation directly. The meeting does not need a subject that attracts attention, it can blend with legitimate calendar traffic.
Appointment is processed
Outlook receives the invitation and adds it to the victim's calendar. This processing triggers the vulnerability, the NTLM hash may be sent immediately upon receipt, before the reminder date, depending on Outlook's notification handling.
NTLM hash captured
When Outlook attempts to access the UNC path, Windows initiates SMB authentication. The attacker's Responder or similar tool captures the Net-NTLMv2 hash from the incoming connection.
Crack or relay
The captured hash is cracked offline using tools like Hashcat with GPU acceleration, or relayed in real time to internal services (LDAP, SMB, HTTP) to authenticate as the victim without knowing their password.
APT28 Exploitation: A 10-Month Zero-Day Campaign
Microsoft credited the discovery of CVE-2023-23397 to the Computer Emergency Response Team of Ukraine (CERT-UA) and confirmed that APT28 (also tracked as STRONTIUM, Fancy Bear, and Forest Blizzard) had exploited it against at least 15 organizations across the European government, military, energy, and transportation sectors.
The earliest documented exploitation occurred in April 2022, nearly a year before the March 2023 patch. APT28 used the vulnerability for initial access and lateral movement, harvesting NTLM hashes from multiple targeted victims and using them to authenticate into internal systems without needing to crack passwords.
The attack is particularly effective in corporate environments where NTLM authentication remains enabled for internal services. Windows environments commonly use NTLM for SMB file sharing, internal web applications running on IIS with Windows authentication, LDAP authentication to Active Directory, and various legacy application integrations. A single captured NTLM hash, if relayable, can provide access to multiple internal services.
The APT28 campaign demonstrated that credential theft vulnerabilities with zero interaction requirements represent a qualitatively different threat than traditional phishing campaigns, because there is nothing for security awareness training to intercept.
“STRONTIUM used CVE-2023-23397 to target and compromise government, transportation, energy, and military sector networks in Europe.”
Microsoft Threat Intelligence, March 2023
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Patching and Mitigating CVE-2023-23397
Microsoft released patches for all supported versions of Outlook for Windows on March 14, 2023. The patch prevents Outlook from following UNC paths in reminder sound fields. Several additional controls harden the environment against NTLM relay attacks even after patching.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2023-23397 represents a category of vulnerability that security awareness programs cannot defend against, because there is no action for a user to avoid. The victim does nothing wrong. They receive an email. Outlook processes it. The NTLM hash is gone.
The ten-month APT28 exploitation window demonstrates that sophisticated nation-state actors actively develop zero-click credential theft capabilities and deploy them with precision against high-value targets. The organizations targeted were not the result of opportunistic scanning, they were selected based on intelligence value.
The durable fix is: patch Outlook, block outbound SMB, and reduce NTLM dependency. As long as Windows environments rely on NTLM for internal authentication, captured hashes will provide value to attackers. Zero-click delivery mechanisms like CVE-2023-23397 make credential protection a network architecture problem, not just an endpoint problem.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2023-23397?
CVE-2023-23397 is a zero-click NTLM hash theft vulnerability in Microsoft Outlook for Windows. An attacker sends a calendar invitation with a UNC path in the reminder sound field. When the reminder fires, Outlook automatically connects to the attacker's SMB server, leaking the victim's NTLM authentication hash. No user interaction needed, the victim doesn't even need to open the email.
How is the NTLM hash from CVE-2023-23397 used by attackers?
The captured NTLM hash can be cracked offline to recover the plaintext password, or relayed immediately to internal services (file shares, Exchange, RDP) using NTLM relay attacks, authenticating as the victim without ever needing the password.
How do I fix CVE-2023-23397?
Apply Microsoft's March 2023 Patch Tuesday update for Outlook. As an interim measure, add all users to the Protected Users security group in Active Directory (blocks NTLM authentication) and block outbound SMB (TCP 445) from your network to the internet.
How long did APT28 exploit CVE-2023-23397 before the patch?
Microsoft and Ukraine's CERT-UA confirmed that APT28 (Fancy Bear, tracked by Microsoft as Forest Blizzard / STRONTIUM) exploited CVE-2023-23397 against at least 15 organizations in the European government, military, energy, and transportation sectors beginning in April 2022. The March 14, 2023 patch closed a zero-day window of approximately 11 months. This extended exploitation window, combined with the zero-click delivery mechanism, allowed APT28 to harvest NTLM hashes from high-value targets for credential relay attacks across internal enterprise networks.
What can attackers do with NTLM hashes captured via CVE-2023-23397?
Captured Net-NTLMv2 hashes can be exploited in two ways. First, offline cracking: using GPU-accelerated tools like Hashcat, attackers attempt to crack the hash to recover the plaintext password, which then grants direct authentication to any service using that account. Second, NTLM relay attacks: the hash can be relayed in real time to internal services (LDAP, SMB file shares, HTTP with Windows authentication, RDP) to authenticate as the victim without ever cracking it. Relay attacks against LDAP can be used to add new admin accounts or grant DCSync privileges, leading to domain compromise.
How do I scan Exchange mailboxes for CVE-2023-23397 malicious calendar items?
Microsoft published a PowerShell detection script (CVE-2023-23397.ps1) that scans Exchange mailboxes for calendar items containing UNC paths in the PidLidReminderFileParameter property. Run this script against all mailboxes on your Exchange server. The script requires Exchange admin credentials and can be run against all mailboxes or a targeted subset. Any items found should be removed, and the accounts that received them should be assessed for NTLM hash exposure and potential relay attack activity during the period the items were present in mailboxes.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
