Microsoft Outlook for Windows 0-Day Vulnerability - CVE-2023-23397

16 Mar / 2023

Microsoft Outlook for Windows 0Day vulnerability

CVE: CVE-2023-23397

WHAT IS VULNERABLE?

  • All versions of Outlook for Windows
  • Outlook Web Access, Mobile and MacOS are unaffected.

WHAT IS HAPPENING?

  • Microsoft recently published an update for Outlook for Windows that patches a previously unknown vulnerability.
  • This vulnerability in Outlook allows an attacker to steal Credentials using NTLM and a malicious server without user intervention.
  • This attacker behaviour has been seen in the wild and is being actively exploited.

KEY FACTS

  • Attackers are using a Privilege Escalation Vulnerability in Outlook to steal NTLM credentials BEFORE the user opens the malicious email.
  • They do this by sending an email with a malicious extended MAPI property supplying a UNC path that does not need to be in your environment.
  • This UNC path is for an SMB Share on an attacker-controlled server.
  • The connection to the SMB Share sends the Users NTLM negotiation message.
  • This allows the malicious actor to use that NTLM negotiation message against other systems in your environment that support NTLM.

WHAT YOU CAN DO?

ASSESSING FOR POSSIBLE IMPACT

  • To determine if your organization was targeted by actors attempting to use this vulnerability, Microsoft is providing documentation and a script at https://aka.ms/CVE-2023-23397ScriptDoc.
  • Organizations should review the output of this script to determine risk. Tasks, email messages and calendar items that are detected and point to an unrecognized share should be reviewed to determine if they are malicious. If objects are detected, they should be removed or clear the parameter.
  • If no objects are detected, it is unlikely the organization was targeted via CVE-2023-23397.

Cythera is committed to protecting our customers from cyber threats and ensuring their business continuity.

Resources

You may be interested in

Malware That Lives Beyond OS Rebuild

Normally if your machine is infected with malware, you can simply reinstall Windows, and the problem is solved, right? Not with this type of mal…

Read More arrow_forward

How to Optimise the Value of Your MDR Service: A Guide to Understanding MDR Pricing Models

MDR has long been hailed as a proactive alternative to Security Information and Event Management (SIEM) software. But, with such variety availab…

Read More arrow_forward

The 15 most important cybersecurity topics that every CEO needs to know in 2023.

With the New Year on its way, a number of Australian organisations are reflecting on the past year and wondering what they can be doing to impro…

Read More arrow_forward