Outlook

Microsoft is investigating an issue that triggers Outlook security alerts when trying to open .ICS calendar files after installing December 2023 Patch Tuesday Office security updates.

Microsoft 365 users affected by this issue report seeing dialog boxes warning them that "Microsoft Office has identified a potential security concern" and that "This location may be unsafe" when double-clicking ICS files saved locally.

"This behavior is not expected when opening .ICS files. This is a bug and will be addressed in a future update," Microsoft explains in this support document.

The company also revealed that the security warning will be displayed after deploying a security update that patches the CVE-2023-35636 Microsoft Outlook information disclosure vulnerability.

If left unpatched, the security flaw can be exploited by attackers to trick users of unpatched Outlook installations into opening maliciously crafted files to steal NTLM hashes (their obfuscated Windows credentials).

The attackers can later use them to authenticate as the compromised user, gain access to sensitive data, or spread laterally on their network.

Microsoft Outlook ICS security notice
Microsoft Outlook ICS security notice (Tim Benedict)

​Workaround available

Until a resolution is available, Redmond shared a temporary fix for those impacted in the form of a registry key that would disable the security notice.

However, once this workaround is deployed, it's also important to note that you'll stop receiving security prompts for all other potentially dangerous file types, not just ICS calendars.

Those affected by this known issue have to add a new DWORD key with a value of '1' to:

  • HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security (Group Policy registry path)
  • Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Security (OCT registry path)

Impacted customers can also disable the dialog by following the step-by-step instructions available in the 'Enable or disable hyperlink warning messages in Office programs' support document.

Microsoft fixed another known Outlook issue earlier this month, causing desktop and mobile email clients to fail to connect when using Outlook.com accounts.

In December, the company addressed two more bugs causing problems for users with lots of folders when sending emails and one more causing Outlook Desktop clients to crash when sending emails from Outlook.com accounts.

Related Articles:

Microsoft pulls fix for Outlook bug behind ICS security alerts

Microsoft fixes Outlook security alerts bug caused by December updates

Microsoft fixes Outlook clients not syncing over Exchange ActiveSync

Microsoft warns Gmail blocks some Outlook email as spam, shares fix

Microsoft releases Exchange hotfixes for security update issues