# A Simple PoC in PowerShell for CVE-2023-23397

CVE-2023-23397 is a vulnerability in MS Outlook that allows an attacker to potentially exfil user authentication details. The vulnerability relates to the the ability for an attacker to specify a UNC path in the "ReminderSoundFile" property within an email/meeting invite - when the reminder triggers in Outlook, the user's Outlook client attempts to load the sound file specified in the path. If Outlook attempts to initiate an SMB connection to a remote SMB server, it might be possible for the attacker to intercept the user's Net-NTLMv2 hash and relay this to authenticate as the user.

PoC is based on Dominic Chell's MDSec post (, porting the concepts to PowerShell.

Note that the UNC path can also be used to make a WebDAV request to an external domain, either by appending "@80" or "@SSL@443" to the host name, as per n00py's blog post: