X
NEXT
Forgot password?

DigitalXRAID

Threat Intelligence: Outlook Zero-Day Vulnerability

Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts: 

A new zero-day vulnerability, reported by CERT-UA, has been patched by Microsoft.

The elevation of privilege security flaw resides within Outlook, allowing for NTLM credential theft. This has been seen exploited in the wild by groups linked to Russian military intelligence service GRU. 

Read more about the CVE detail here: CVE-2023-23397 

The CVSS (Common Vulnerability Scoring System) Severity Score has been rated as: 9.8 

The Outlook client can be exploited through a specially crafted message with an extended MAPI property, which when retrieved is initiated automatically allowing for manipulation before it is viewed in the preview pane. This removes the need for user interaction.  

Once this has occurred, the connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.  

Once the credentials have been stolen, lateral movement has been seen in the wild to exfiltrate emails. 

This zero-day vulnerability impacts all supported versions of Microsoft Outlook for Windows but doesn’t affect Outlook for Android, iOS, or macOS versions.  

Online services such as Outlook on the web and Microsoft 365 are not impacted, as they do not support NTLM authentication. 

The recommendation from Microsoft is to patch systems so they are no longer susceptible to this vulnerability.  

If patching is not immediately possible, the advice is to add users to the Protected Users group in Active Directory and block outbound SMB (TCP port 445). However, this may cause an impact to applications that require NTLM. The settings will revert once the user is removed from the Protected Users Group.  

Another advisory is to block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN (Virtual Private Network) settings. This will prevent the sending of NTLM authentication messages to remote file shares. 

Update: Microsoft is further urging businesses to patch their systems as state-linked and financially motivated threat actors are trying to exploit this critical zero-day vulnerability to launch new attacks.

If you discover that you’ve suffered a breach as a result of this or any other vulnerability, and need help urgently, get in contact with us. You can call our emergency line on 0800 066 4509 to speak to one of our experts. They’re available 24 hours a day, 7 days a week. Bookmark this page in case you ever need us.      

If you need any support in mitigating any risks this vulnerability may have on your business, please don’t hesitate to get in contact. 

Previous Article

Threat Pulse – March 2023

Next Article

What is XDR? A comprehensive guide

Cyber Security Experts

Accredited and regulated, we're in the top 1% of cyber security agencies globally

Crown Commercial Service Supplier Cyber Essentials Plus ISO 27001 BSI ISO 9001 CHECK NCSC Cyber Incident Response CREST

We’re trusted by the UK Government as Crown Commercial Service providers as well as being accredited by two of the leading cyber security governing bodies. Our ISO9001 certification means you can rest assured our processes and approach are market leading.

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]