Bi.Zone, a Russian firm focused on information security, has identified a serious flaw in the Microsoft Outlook email client that could enable attackers to capture login credentials and passwords from victims’ mail accounts. This assessment was reported by TASS, the Russian news agency.
The vulnerability centers on the calendar integration within Outlook. In practical terms, an attacker can exploit the flaw by sending a victim a message that contains a manipulated scheduling invitation. The alarming part is that the victim does not need to open the email for the attack to begin; merely receiving a calendar notification is enough to trigger the exploit and start the sequence.
Security researchers described the attacker as rapidly leveraging the flaw to seize identity data and proceed with unauthorized access. In Bi.Zone’s explanation, the intruder can effectively impersonate the victim once the initial foothold is established, allowing the attacker to act with the compromised credentials.
The vulnerability has been catalogued as CVE-2023-23397, and it has drawn a high severity rating from an international expert panel, scoring 9.8 out of 10. The issue was initially uncovered in March 2023, prompting urgent discourse among security professionals about the potential fallout for corporate mail systems and personal accounts relying on Outlook for calendar scheduling.
Earlier reporting by Trend Micro observers noted that the same ecosystem has hosted information-stealing threats disguised as legitimate software, underscoring a persistent risk landscape where legitimate tools can be repurposed to mislead users. The convergence of calendar features and email workflows continues to surface as a critical touchpoint for attackers seeking to harvest credentials and maintain stealth across connected devices and services.