Microsoft (MS) Outlook could be abused to send SMB handshakes externally after a victim opened or simply viewed an email. A WebDAV request was sent even when the SMB port was blocked. This could be used to crack a victim’s password when the SMB hash was sent externally, or to receive a notification when an email had been viewed by a victim.
This issue was partially patched in July 2017 (CVE-2017-8572). According to the Microsoft Security Response Center (MSRC), CVE-2017-11927 that was released in December 2017 had also patched a number of payloads. This patch was updated in May 2018 to address the remaining issues that were mentioned in this report.
The GitHub project is accessible at https://github.com/nccgroup/OutlookLeakTest.
PDF version of the blog post published by NCC Group can be downloaded from:
The full article can be viewed in NCC Group’s website: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/smb-hash-hijacking-and-user-tracking-in-ms-outlook/