Microsoft Outlook for Windows 0-Day Vulnerability - CVE-2023-23397

16 Mar / 2023

Microsoft Outlook for Windows 0Day vulnerability

CVE: CVE-2023-23397

WHAT IS VULNERABLE?

  • All versions of Outlook for Windows
  • Outlook Web Access, Mobile and MacOS are unaffected.

WHAT IS HAPPENING?

  • Microsoft recently published an update for Outlook for Windows that patches a previously unknown vulnerability.
  • This vulnerability in Outlook allows an attacker to steal Credentials using NTLM and a malicious server without user intervention.
  • This attacker behaviour has been seen in the wild and is being actively exploited.

KEY FACTS

  • Attackers are using a Privilege Escalation Vulnerability in Outlook to steal NTLM credentials BEFORE the user opens the malicious email.
  • They do this by sending an email with a malicious extended MAPI property supplying a UNC path that does not need to be in your environment.
  • This UNC path is for an SMB Share on an attacker-controlled server.
  • The connection to the SMB Share sends the Users NTLM negotiation message.
  • This allows the malicious actor to use that NTLM negotiation message against other systems in your environment that support NTLM.

WHAT YOU CAN DO?

ASSESSING FOR POSSIBLE IMPACT

  • To determine if your organization was targeted by actors attempting to use this vulnerability, Microsoft is providing documentation and a script at https://aka.ms/CVE-2023-23397ScriptDoc.
  • Organizations should review the output of this script to determine risk. Tasks, email messages and calendar items that are detected and point to an unrecognized share should be reviewed to determine if they are malicious. If objects are detected, they should be removed or clear the parameter.
  • If no objects are detected, it is unlikely the organization was targeted via CVE-2023-23397.

Cythera is committed to protecting our customers from cyber threats and ensuring their business continuity.

Resources

You may be interested in

Safeguarding the Australian Health Sector with SASE: Beyond Perimeter Defense

Safeguarding the Australian Health Sector with SASE: Beyond Perimeter Defense Across the Australian healthcare landscape, digital transformatio…

Read More arrow_forward

Easy (and Cheap!) ways to secure your corporate email domain

Email is such a critical business tool for many businesses. And the massive shift to a “Work from Anywhere” model has led to an increased ri…

Read More arrow_forward

Adversary Simulation: Aka. Red Teaming - Moving Beyond Penetration Testing

Cythera are often approached by clients looking for Red Team services, social engineering and similar attacks which emulate real-world attackers…

Read More arrow_forward