Threat Watch

Microsoft Fixes Outlook Zero-day Used by Russian Attackers Since April 2022

Microsoft has patched an Outlook zero-day vulnerability (CVE-2023-23397) exploited by a hacking group linked to Russia’s military intelligence service GRU to target European organizations. The security vulnerability was exploited in attacks to target and breach the networks of fewer than 15 government, military, energy, and transportation organizations between mid-April and December 2022. The hacking group (tracked as APT28, STRONTIUM, Sednit, Sofacy, and Fancy Bear) sent malicious Outlook notes and tasks to steal NTLM hashes via NTLM negotiation requests by forcing the targets’ devices to authenticate to attacker-controlled SMB shares. The stolen credentials were used for lateral movement within the victims’ networks and to change Outlook mailbox folder permissions, a tactic allowing for email exfiltration for specific accounts. Microsoft shared this info in a private threat analytics report seen by reporters and available to customers with Microsoft 365 Defender, Microsoft Defender for Business, or Microsoft Defender for Endpoint Plan 2 subscriptions. The vulnerability (CVE-2023-23397) was reported by CERT-UA (the Computer Emergency Response Team for Ukraine), and it’s a critical Outlook elevation of privilege security flaw exploitable without user interaction in low-complexity attacks. Threat actors can exploit it by sending messages with extended MAPI properties containing UNC paths to an SMB share (TCP 445) under their control. “The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane,” Microsoft says in a security advisory published today. “The connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication,” Redmond explains added in a separate blog post. CVE-2023-23397 impacts all supported versions of Microsoft Outlook for Windows but doesn’t affect Outlook for Android, iOS, or macOS versions. Additionally, since online services like Outlook on the web and Microsoft 365 do not support NTLM authentication, they are not vulnerable to attacks exploiting this NTLM relay vulnerability. Microsoft recommends immediately patching CVE-2023-23397 to mitigate this vulnerability to thwart any incoming attacks. The company also advises adding users to the Protected Users group in Active Directory and blocking outbound SMB (TCP port 445) if patching is not immediately possible, which might limit the impact of CVE-2023-23397.


Microsoft urges customers to immediately patch their systems against CVE-2023-23397 or add users to the Protected Users group in Active Directory and block outbound SMB (TCP port 445) as a temporary mitigation to minimize the impact of the attacks. Redmond also released a dedicated PowerShell script to help admins check if any users in their Exchange environment have been targeted using this Outlook vulnerability. It “checks Exchange messaging items (mail, calendar and tasks) to see whether a property is populated with a UNC path,” Microsoft says. “If required, admins can use this script to clean up the property for items that are malicious or even delete the items permanently.” This script also allows modifying or deleting potentially malicious messages if they are found on the audited Exchange Server when run in Cleanup mode.