Detecting CVE-2023-23397: How to Identify Exploitation of… | Intel 471 Skip to content

Detecting CVE-2023-23397: How to Identify Exploitation of the Latest Microsoft Outlook Vulnerability

Mar 16, 2023
Homepage Hero

Microsoft recently released patches for nearly 80 new security vulnerabilities, including two zero-day exploits, CVE-2023-23397 and CVE-2023-24880. CVE-2023-23397 is an elevation-of-privilege (EoP) vulnerability in Microsoft Outlook that could allow an attacker to obtain a victim’s password hash. The vulnerability occurs when an attacker sends a message to the victim with an extended Message Application Program Interface (MAPI) property that contains a Universal Naming Convention (UNC) path. When the victim receives the malicious message, the UNC path directs them to a Server Message Block (SMB) (TCP 445) share hosted on a server controlled by the attacker, triggering the vulnerability.

This vulnerability doesn't require any action from the user, and when the victim connects to the attacker’s SMB server, their New Technology LAN Manager (NTLM) negotiation message is sent automatically, which the attacker can use for authentication against other systems that support NTLM authentication. However, online services like Microsoft 365 are not susceptible to this attack since they don't support NTLM authentication.

Although Microsoft has published a detailed advisory for CVE-2023-23397, detecting successful exploitation of the vulnerability can be challenging. Cyborg Security has seen numerous instances online of advisories stating that security teams should look for the Outlook.exe process initiating SMB communications. However, Cyborg Security has found that the underlying operating system (SYSTEM) is actually initiating the SMB connection, not the Outlook.exe process. To detect the vulnerability reliably, security teams should look for SYSTEM establishing SMB and LDAP connections to non-private networks.

This vulnerability affects all currently supported versions of Microsoft Outlook for Windows, but not Outlook for Android, iOS, or macOS. If patching is not immediately possible, Microsoft recommends adding users to the Protected Users group in Active Directory and blocking outbound SMB traffic on TCP port 445.

According to Microsoft, cybercriminals linked to Russian intelligence services have actively exploited this zero-day vulnerability. The threat actors (TAs) have used the exploit to target government, military, energy, and transportation organizations in the past year. CVE-2023-23397 allows a threat actor to send a specially crafted email with a malicious payload that causes the victim’s Outlook client to automatically connect to a UNC location under the actor’s control to receive the Net-NTLMv2 user’s password hash. This disclosure of credentials would permit further methods of exploitation, and exploitation can occur prior to the email being opened or previewed by the user.

To prevent potential attacks, Microsoft recommends that users patch their systems immediately. The company has also released several mitigations for organizations that cannot patch their systems immediately. It's important for users and organizations to stay vigilant and keep their systems updated to protect themselves against potential cyber attacks.

Cyborg Security has released premium detection content for our customers to hunt for this exploit and its associated behavior.