Microsoft Outlook for Windows 0-Day Vulnerability - CVE-2023-23397

Microsoft Outlook for Windows 0Day vulnerability

CVE: CVE-2023-23397

WHAT IS VULNERABLE?

• All versions of Outlook for Windows
• Outlook Web Access, Mobile and MacOS are unaffected.

WHAT IS HAPPENING?

• Microsoft recently published an update for Outlook for Windows that patches a previously unknown vulnerability.
• This vulnerability in Outlook allows an attacker to steal Credentials using NTLM and a malicious server without user intervention.
• This attacker behaviour has been seen in the wild and is being actively exploited.

KEY FACTS

• Attackers are using a Privilege Escalation Vulnerability in Outlook to steal NTLM credentials BEFORE the user opens the malicious email.
• They do this by sending an email with a malicious extended MAPI property supplying a UNC path that does not need to be in your environment.
• This UNC path is for an SMB Share on an attacker-controlled server.
• The connection to the SMB Share sends the Users NTLM negotiation message.
• This allows the malicious actor to use that NTLM negotiation message against other systems in your environment that support NTLM.

WHAT YOU CAN DO?

• We strongly recommend that all customers apply the update that Microsoft have released, available here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 that patches this vulnerability.
• Further Details are available in the Microsoft Blog post here: https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
• Cythera is continuing to monitor all Managed Detection and Managed Vulnerability clients.

ASSESSING FOR POSSIBLE IMPACT

• To determine if your organization was targeted by actors attempting to use this vulnerability, Microsoft is providing documentation and a script at https://aka.ms/CVE-2023-23397ScriptDoc.
• Organizations should review the output of this script to determine risk. Tasks, email messages and calendar items that are detected and point to an unrecognized share should be reviewed to determine if they are malicious. If objects are detected, they should be removed or clear the parameter.
• If no objects are detected, it is unlikely the organization was targeted via CVE-2023-23397.

Cythera is committed to protecting our customers from cyber threats and ensuring their business continuity.