PatchSiren

PatchSiren cyber security CVE debrief

CVE-2023-33151 Microsoft CVE debrief

A spoofing vulnerability in Microsoft Outlook that could allow an attacker to manipulate email content or sender information to deceive users. The vulnerability affects multiple versions of Microsoft Office and Microsoft 365 Apps across x86 and x64 architectures. With a CVSS score of 6.5 (MEDIUM), this vulnerability requires user interaction to exploit, with network-based attack vectors and low attack complexity. The confidentiality impact is rated HIGH, while integrity and availability impacts are none. Microsoft has released patches for affected products.

Vendor
Microsoft
Product
Microsoft Office LTSC 2021
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2023-07-11
Original CVE updated
2026-05-19
Advisory published
2023-07-11
Advisory updated
2026-05-19

Who should care

Organizations relying on Microsoft Outlook for email communications, particularly those with mixed Office version environments. Security teams responsible for email security infrastructure and endpoint patch management. Users handling sensitive communications where sender authenticity is critical.

Technical summary

This vulnerability exists in Microsoft Outlook's handling of email content, allowing attackers to spoof sender information or message content. The attack requires network access and user interaction (such as opening a malicious email), with low complexity for exploitation. Successful exploitation results in high impact to confidentiality—attackers could potentially read sensitive information or manipulate trust relationships through deceptive emails—without affecting system integrity or availability. The vulnerability spans multiple Office deployment channels including perpetual license versions and Microsoft 365 subscription apps.

Defensive priority

medium

Recommended defensive actions

  • Apply Microsoft security updates for affected Office versions as provided in the July 2023 Patch Tuesday release
  • Verify Outlook client versions against affected CPE criteria: Microsoft 365 Apps Enterprise, Office 2013 SP1, Office 2016, Office 2019, and Office LTSC 2021
  • Implement email authentication mechanisms (SPF, DKIM, DMARC) to supplement client-side spoofing protections
  • Train users to verify sender identities and be cautious of unexpected email content even from seemingly trusted sources
  • Monitor for suspicious email activity that may indicate spoofing attempts targeting the organization

Evidence notes

CVE published 2023-07-11; NVD record last modified 2026-05-19. Vendor advisory confirms patch availability via Microsoft Security Response Center. CPE criteria identify affected product versions including Microsoft 365 Apps (Enterprise), Office 2013 SP1, Office 2016, Office 2019, and Office LTSC 2021 across x86, x64, and RT platforms. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.

Official resources

2023-07-11