Microsoft patches a zero-day vulnerability in Outlook that has been actively exploited for a year

Microsoft has fixed a zero-day vulnerability in Outlook under ID CVE-2023-23397 . The vulnerability was reportedly exploited in attacks to compromise the networks of about 15 government, military, energy and transportation organizations between mid-April and December 2022.

A group of hackers tracked as APT28, STRONTIUM, Sednit, Sofacy, or Fancy Bear sent malicious Outlook notes and tasks to steal hashes via NTLM negotiation requests, forcing target devices to authenticate against attackers controlled SMB-resources.

The stolen credentials were used to traverse the victims’ networks horizontally and to change the permissions of Outlook mailbox folders. This tactic enabled the exfiltration of email from the accounts of certain employees who worked in critical industries.

“An attacker could exploit this vulnerability by sending a specially crafted email that fires automatically when it is retrieved and processed by the Outlook client. When connecting to a remote SMB server, an NTLM negotiation message is sent from the user, which the attacker can then pass to authenticate against other systems that support NTLM authentication,” explains Microsoft in small report about vulnerability.

CVE-2023-23397 affects all supported versions of Microsoft Outlook for Windows, but does not affect versions for Android, iOS, or macOS. Also, since online services such as the Outlook website or Microsoft 365 website do not support NTLM authentication, they are immune to these attacks.

Microsoft is urging customers to immediately apply the released fix for the vulnerability or add users to the Protected Users group in Active Directory and block outbound SMB (TCP port 445) as a temporary measure to minimize the impact of the attacks.

Redmond also released custom PowerShell script to help administrators verify if any users in their Exchange environment have been affected by this Outlook vulnerability. “If necessary, administrators can use this script to clean up malicious items on a property, or even permanently remove items,” says Microsoft. The script also allows you to modify or remove potentially malicious messages if they are found on a trusted Exchange server when run in cleanup mode.