Overview
Microsoft has released a patch for an Outlook vulnerability which allows an attacker to change Outlook mailbox folder permissions, allowing for email exfiltration for specific accounts BEFORE the email is viewed in the preview pane.
Details
Microsoft has patched an Outlook zero-day vulnerability (CVE-2023-23397) which allows for a NTLM Relay attack against another service to authenticate as the user. This vulnerability is known to have been exploited by a hacking group linked to Russia’s military intelligence service, GRU, to target European organisations.
CVE-2023-23397 was found to allow a threat actor to harvest NTLMv2 hashes via a specially crafted Outlook appointment. According to Microsoft, attackers could exploit this vulnerability by sending an email that “triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”
Affected Products
This flaw affects all Microsoft Outlook versions for Windows. It does not affect Mac, iOS, Android, or web versions of Outlook.
Risk/severity assessment
Overall risk assessment: Critical
CVE details: CVE-2023-23397
Current exploitability: High
Current distribution: Low to medium
Risk Type/Severity Level
Comand & control: Low
Disruption of service: High
Loss/theft of data: High
Threat Assessment
Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Detection potential: Low
Mitigation potential: High
Remediation potential: High
Response effort required: Low
Recommendations Crossword recommends immediately implementing the patch offered by Microsoft. Full information here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
For further information or advice, contact us.