A critical vulnerability in the ubiquitous Microsoft Outlook/365 applications suite is being actively abused in the wild and demands urgent patching.
CVE-2023-23397, a CVSS 9.8 bug, lets a remote and unauthenticated attacker breach systems merely by sending a specially crafted email that allows them steal the recipient’s credentials.
It gets worse: The victim doesn’t even need to open the malicious email: As Microsoft notes in its own guidance for the Microsoft 365 vulnerability: “[The email] triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”