Executive Summary

This week Microsoft released a patch for a critical actively exploited privilege escalation vulnerability in Microsoft Outlook. The vulnerability is tracked as CVE-2023-23397.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to gain authentication details from a targeted machine. These details can then be relayed to other systems or brute-forced offline, leading to compromise of the account.

Technical Summary:

The vulnerability allows an attacker to craft malicious emails which force a target device to connect to a remote UNC of the attackers choice. A UNC is a path that can be used to access network resources. Upon connection, the Net-NTLMv2 hash, which is a hash of the victim’s password is leaked to the attacker. The attacker can then relay this hash to authenticate as the victim on other services or decode the hash offline. At no point does the email need to be previewed or opened, it is triggered as soon as it is received and processed by the email server.

What can I do?

It is recommended that organisations apply the latest patches as soon as possible as this vulnerability is recorded as actively exploited. In their analysis, Microsoft recorded that this vulnerability was exploited by Strontium, a state-sponsored Russian hacking group. Organisations using strictly off-premises solutions are not impacted.

Further information on CVE-2023-23397 can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397  

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity