A severe security vulnerability has been discovered in Microsoft Outlook, which is currently being exploited by cybercriminals. The vulnerability, identified as CVE-2023-23397 with a CVSS score of 9.8, permits a remote, unauthorized attacker to compromise systems simply by transmitting a specifically crafted email. This malicious email enables the attacker to gain unauthorized access to the recipient’s credentials.
The exploit is initiated by fetching and processing a malicious email by the Outlook client, potentially leading to exploitation even before the email is displayed in the preview pane. It triggers a connection from the victim to a location controlled by the attacker. This results in the leakage of the victim’s Net-NTLMv2 hash, a challenge-response protocol used for authentication in Windows environments. The attacker can then relay this information to another service and authenticate as the victim, further compromising the system.
The complexity of the attack is low and it has been seen in the wild according to Microsoft, with the exploit being used to target the European government, military, energy, and transportation organisations. It was initially reported to Microsoft by CERT-UA (the Computer Emergency Response Team for Ukraine).
A proof-of-concept created by the Hornetsecurity’s Security Lab team demonstrates that the exploit is hard-to-detect since all anti-malware and sandbox services incorporated into VirusTotal were unable to recognize it as malicious.
The critical Microsoft Outlook vulnerability impacts both 32-bit and 64-bit versions of Microsoft 365 Apps for Enterprise & Business. Additionally, Office 2013, 2016, and 2019, as well as LTSC editions, are susceptible to the attack.
Not effected is Outlook for the web or those running on Android, iOS, or Mac.
To better protect your organization, we recommend the following steps in accordance with Microsoft’s advice:
The likelihood of more widespread attacks targeting the CVE-2023-23397 vulnerability is expected to increase as public proof-of-concepts are already released. We therefore highly recommend that all users of Microsoft Outlook apply the security patches provided by Microsoft as soon as possible.
Our Partners over at the Security Lab at Hornetsecurity continues to monitor the threat landscape to ensure that our customers are protected from the latest cyber threats.