Zero Day Exploit
CVE-2023-23397
Microsoft Outlook has a critical vulnerability Critical 9.8 (CVSSv3) that requires zero interaction to be successful.
Microsoft has released a patch for Outlook.
Threat Name: CVE-2023-23397
Risk Factor: Critical
Date: April 2023
Get Help Now
Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis
What we know so far about Microsoft Outlook zero day exploit
The vulnerability has been exploited by the threat group APT28, also known as Fancy Bear, Sofacy, and STRONTIUM since April 2022.
It was initially reported to Microsoft by the Ukrainian CERT. According to Microsoft, “a Russia-based threat actor” exploited the vulnerability in targeted attacks against several European organizations in government, transportation, energy, and military sectors.
Currently 15 organisations are believed to have been targeted or breached using CVE-2023-23397.
Solace Cyber Head of Incident Response believes with high certainty that this particular vulnerability will be used by other threat actors – equating to a vast quantity of attacks in the coming days to weeks.
As of 16/03/2023 proof of concept code has been developed by security researchers and it is likely to be used in subsequent attacks by other threat actors.
How Zero Day Exploit CVE-2023-23397 works
The attack involves the attacker sending an Outlook note or task to the victim, triggering the notification sound file mechanism, which sends an NTLM negotiation request to the attacker-controlled SMB share. The threat actors accomplish this using extended MAPI properties that contain UNC paths. The vulnerability can be exploited with a simple, specially crafted email, even if the victim doesn’t open the item.
However, it’s worth noting that this vulnerability cannot be exploited with Outlook for iOS, Mac, or Outlook for Android. Nevertheless, it affects all Windows versions of Outlook that are currently supported.
Who is at risk from the Microsoft Outlook Zero Day Vulnerability
- Organisations that have on-premises domain controllers and use outlook.
- Organisations that only use Azure AD only and have no on-premises domain controllers are protected.
Note: Those at a higher risk include remote workers due to home firewalls that do not block SMB traffic.
Solace Cyber Recommendations to mitigate risk
- Immediately patch all Outlook clients to the latest available version (Microsoft released the required software update this Tuesday).
This can be done by emailing all end users to advise a manual update of Microsoft Office (click-to-run) or updating via alternative methods. If you require assistance with auto-patching solace cyber can assist.
- Launch any office application. Microsoft Outlook, Word, Excel or PowerPoint.
- Select File > Office Account.
- Update Options > Update Now.
- Allow update process to complete (Approximate time to complete: < 15 mins)
- Additionally, organisations are strongly advised to run Microsoft’s script to look for signs of compromise in user’s mailboxes.
Preferably this is run in audit mode only so that forensic data can be reviewed. If the script produces results it is recommended that you review the UNC paths in the outlook items to ensure no exploitation has occurred.
- Ensure SMB outbound connections are blocked on your organisations firewall.
Speak to a cyber security specialist
Solace Global can conduct forensic audits and patching to secure your estate from Microsoft Outlook zero-day vulnerability