Skip to content

CVE-2023-23397 Frequently Asked Questions

What is the -UseSearchFolders preview feature?

This feature changes the way Audit mode works to be dramatically faster in most environments. The original approach searches folders synchronously one by one. When using the new switch, we perform two passes. In the first pass, we create a search folder that searches the whole mailbox. In the second pass, we collect the results. This often reduces the time to run the Audit mode by 80% or more.

This feature is still considered a preview. The old behavior can be used by simply not including the -UseSearchFolders parameter.

To use the new feature, use the same syntax as before, but add -UseSearchFolders. For example:

NOTE: Connect to EXO with Exchange Online PowerShell session

Get-EXOMailbox -ResultSize Unlimited | .\CVE-2023-23397.ps1 -Environment Online -UseSearchFolders

This switch only applies to Audit mode. Cleanup mode has no syntax changes. To take maximum advantage of the search folders, it's best to leave them in place until cleanup is done, so you can repeatedly and quickly search for any new items. After cleanup is completed, the search folders can be removed with:

Get-EXOMailbox -ResultSize Unlimited | .\CVE-2023-23997.ps1 -Environment Online -UseSearchFolders -SearchFolderCleanup

What is the relationship of Exchange Server March 2023 SU and Outlook fix for CVE-2023-23397?

Those two updates are completely independent from each other. Exchange SUs address Exchange vulnerabilities and security improvements. We mentioned the Outlook CVE-2023-23397 update in the Exchange March SU release to raise the awareness to our customers, as we know most use Outlook for Windows. Exchange March SU does not address CVE-2023-23397, you need to install Outlook update to address this vulnerability in Outlook.

Does the account running the script need to be part of Organization Management?

In OnPrem environments, the account running the script only needs the EWS Impersonation role, which is provided by adding that user to the group as described in the docs.

In Online environments, the account running the script in -CreateAzureApplication mode needs Global Admin role in order to create the Azure application used for impersonation.

In OnPrem, does the script need to be executed on the Exchange Server?

No, the script can be executed from a workstation. There are essentially two parts to running the script. First, we have to get a list of mailboxes. Second, we have to run the script against them. These steps do not necessarily need to be performed by the same user or on the same machine.

If we just want to run the script against a few users, the email addresses can be specified manually:

.\CVE-2023-23397.ps1 -Environment OnPrem -UserMailboxes "", ""

For a large number of mailboxes, an Exchange Organization Administrator could create a CSV of mailboxes to process using a command like this:

Get-Mailbox -ResultSize Unlimited | Export-Csv .\Mailboxes.csv

Then, the script could be run against the CSV file on a different machine by a different user using a command like this:

Import-Csv .\Mailboxes.csv | .\CVE-2023-23397.ps1 -Environment OnPrem
The default script execution appears to be limited to processing 1000 mailboxes, how to execute the script for more than 1000 mailboxes? You can use following steps to break up the mailboxes into multiple files, so the script can be run against mailboxes in batches. Here is an example of how to break up the mailboxes into batches of 1000:

$batchSize = 1000; $batchNumber = 1; $count = 0; Get-Mailbox -ResultSize Unlimited | Select PrimarySmtpAddress | % {
  if ($count++ -ge $batchSize) { $batchNumber++; $count = 0; }
  Export-Csv -InputObject $_ -Path "Batch$batchNumber.csv" -Append

In OnPrem, does the -Credential parameter need to be UPN or domain\user?

Either format can be used. However, by default, the script will attempt to use the username to perform Autodiscover. If Autodiscover does not work for your UPN, or if domain\user is being specified, then Autodiscover can be skipped by providing the -EWSServerUrl parameter.

.\CVE-2023-23397.ps1 -Environment OnPrem -EWSServerUrl ""

In OnPrem, does the impersonation account need to have a mailbox?

The latest version of the script no longer requires the impersonation account to have a mailbox if running on Exchange 2016 or later. Exchange 2013 still requires that the impersonation user have a mailbox on prem.

Why does my output file contain entries with empty PidLidReminderFileParameter column or 'reminder.wav'. Is this an issue?

The search query is only determining if the property PidLidReminderFileParameter is set, including empty values is a set property. It is up to the admin to determine if they to take actions against this particular item.

NOTE: Script version and after only provide results for non-empty string values. So the columns should no longer be empty when running the audit mode.

Why does my output file only contain some of my mailboxes that we searched against?

It will only export individual items that contain the PidLidReminderFileParameter properties set. If the mailbox doesn't have any items that contains this property, it will not be exported out.

Why does my output file contain multiple entries for the same mailbox?

For each individual item that does contain the PidLidReminderFileParameter property, it will be exported out with a item ID that is needed to possibly take action against.

Last update: March 22, 2023