By sending a false, #malicious email (which you don’t even have to open, just receive), a clever attacker can cause all sorts of trouble, including intercepting your hash (read: reading your password but also making changes).
So: stop using Outlook Desktop (use the web client), change your O365 or Exchange password, and make sure your Office is updated to the very latest version. This is not a theoretical exercise; Microsoft itself indicates that it has already been used #inthewild during attacks.
And no, MFA will not save you (the password is not intercepted, but the privilege escalation remains, so they can continue to abuse it).
A practical step-by-step plan for organizations:
1. Ensure that all your clients have the latest version of the Outlook software. Until this is the case, make sure everyone uses the web client. There are many ways to monitor/automate this (MDMs, Intune, etc.), but that’s not my expertise.
2. Force them to change their password at the next login (can be done easily in AD / AzureAD).
3. Keep your eyes (and your logging, antivirus, SIEM, EDR, and other security tools) open for anomalies, in other words, strange things.
#start now #do not wait!
I’ve never understood why people actually use Outlook Desktop (what crappy, unstable software).
This incident should also once again make us question the monoculture and quasi-monopolies that we allow for the essential software that we use as individuals, companies, government, and society in general.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397