27 March 2023

Microsoft shares guidance on detecting Outlook zero-day exploited by Russian hackers


Microsoft shares guidance on detecting Outlook zero-day exploited by Russian hackers

Microsoft has released a detailed guide to help organizations detect the signs of abuse of a recently patched Outlook zero-day vulnerability said to have been exploited in attacks by Russia-linked state-sponsored hackers.

Tracked as CVE-2023-23397, the vulnerability is an elevation of privilege issue that allows a remote attacker to compromise the vulnerable system.

“A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak,” Microsoft explained in its advisory. “It is exploited when a threat actor delivers a specially crafted message to a user. This message includes the PidLidReminderFileParameter extended Messaging Application Programming Interface (MAPI) property, which must be set to a Universal Naming Convention (UNC) path share on a threat actor-controlled server (via Server message block (SMB)/transmission control protocol (TCP) port 445).”

“In exploitation of CVE-2023-23397, threat actors can specify the value for the PidLidReminderFileParameter in specially crafted messages to trigger a Net-NTLMv2 hash leak to threat actor-controlled servers.”

The flaw is said to have been exploited by the Russian state-backed hacker group Strontium (aka APT28, Fancy Bear) in attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.

Microsoft says that all versions of Outlook for Windows are impacted. Versions for Android, iOS, Mac, and users who use Outlook on the web (OWA) without using the Outlook client are not affected.

Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) released a new open source incident response tool named “Untitled Goose Tool” that helps detect signs of malicious activity in Microsoft Azure, Azure Active Directory, and Microsoft 365 cloud environments.

Back to the list

Latest Posts

ICC investigates cyberattacks in Ukraine as possible war crimes

ICC investigates cyberattacks in Ukraine as possible war crimes

The probe is focused on cyberattacks that endangered lives by disrupting essential services.
17 June 2024
Alleged Scattered Spider leader arrested in Spain

Alleged Scattered Spider leader arrested in Spain

The suspect is believed to be a key player in the MGM ransomware attack.
17 June 2024
Scattered Spider hackers switch focus to cloud apps for data theft

Scattered Spider hackers switch focus to cloud apps for data theft

Mandiant has observed UNC3944 accessing platforms like vSphere and Azure via SSO applications to create new virtual machines.
17 June 2024