A critical vulnerability (CVE-2023-23397) in Microsoft Outlook/365 applications suite is actively being exploited in the wild, requiring urgent patching.
Why worry about CVE-2023-23397?
The CVSS 9.8 bug allows remote, unauthenticated attackers to breach systems and steal credentials by sending a specially crafted email. The malicious email triggers automatically when processed by the Outlook client, even before being viewed in the Preview Pane.
What is impacted by CVE-2023-23397?
This vulnerability affects 32 and 64-bit versions of Microsoft 365 Apps for Enterprise, Office 2013, 2016, and 2019 (including LTSC).
How the attack works
The attack is initiated through a malicious email that causes a connection from the victim to a location under attacker control, leaking the Net-NTLMv2 hash of the victim to the attacker who can then authenticate as the victim.
What you can do about CVE-2023-23397
Microsoft suggests mitigations such as adding users to the “Protected Users Security Group” and blocking TCP 445/SMB outbound from your network. The vulnerability was found by CERT-UA, Microsoft Incident Response, and Microsoft Threat Intelligence.
At least 15 European organizations in government, military, energy, and transportation sectors have been targeted with the attacks attributed to Russian military intelligence.
We strongly advise immediate patching or implementation of the suggested mitigations. Remember with patching, start with a test group first. For more information on patch best practices, I’d recommend watching SecOps 140: Windows 10 & 11 Patching.
Further attacks are expected as the patch is reverse-engineered, and more threat actors identify the exploit.
If you have any questions, concerns or would like further information, please do not hesitate to reach out to our security desk or one of our security advisors.
