APT

Microsoft shares guidance for investigating attacks exploiting CVE-2023-23397

Microsoft is warning of cyber attacks exploiting a recently patched Outlook vulnerability tracked as CVE-2023-23397 (CVSS score: 9.8).

Microsoft published guidance for investigating attacks exploiting recently patched Outlook vulnerability tracked as CVE-2023-23397.

The flaw is a Microsoft Outlook spoofing vulnerability that can lead to an authentication bypass.

A remote, unauthenticated attacker can exploit the flaw to access a user’s Net-NTLMv2 hash by sending a specially crafted e-mail to an affected system.

“An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.” reads the advisory published by Microsoft. “The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.” “External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.”

The vulnerability was reported by the CERT-UA and the Microsoft Incident Response, Microsoft Threat Intelligence (MSTI), suggesting that it has been exploited by a nation-state actor.

Microsoft addressed the flaw as part of its Patch Tuesday updates for March 2023.

The guidance published by Microsoft includes details about the attacks using the vulnerability. The following diagram shows attackers gaining initial access using a Net-NTLMv2 Relay attack, then maintaining persistence via modifying mailbox folder permissions, and performing lateral movement by sending additional malicious messages.

Observed threat actor exploitation of CVE-2023-23397 to gain unauthorized access to Exchange Server and modify mailbox folder permissions for persistent access to the mailbox. (Microsoft)

In the following attack scenario, threat actors used the compromised email account to extend their access within the compromised environment by targeting other members of the same organization.

Observed threat actor activity to extend their access in a compromised environment by using a compromised e-mail account to target other members of the same organization (Microsoft)

“While leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, the exploitation of CVE-2023-23397 is novel and stealthy. Even when users reported suspicious reminders on tasks, initial security review of the messages, tasks, or calendar items involved did not result in detection of the malicious activity.” concludes the guidance. “Furthermore, the lack of any required user interaction contributes to the unique nature of this vulnerability. “In this document, Microsoft Incident Response has highlighted threat hunting techniques and strategy for exploitation of this CVE, alongside some hunting techniques for observed post-exploitation threat actor behaviors. Furthermore, a broad threat hunting for anomalous user activity consistent with credential compromise is advised.”

The guidance also includes indicators of attack for this campaign.

Researchers from threat intelligence firm Mandiant also reported having observed an activity related to a months-long cyberespionage campaign exploiting Microsoft Exchange vulnerability CVE-2023-23397 conducted by a threat actor tracked as UNC4697 (likely linked to the APT28 group).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2023-23397)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Pwn2Own Berlin 2025 Day Two: researcher earned 150K hacking VMware ESXi

On day two of Pwn2Own Berlin 2025, participants earned $435,000 for demonstrating zero-day in SharePoint,…

5 hours ago

New botnet HTTPBot targets gaming and tech industries with surgical attacks

New botnet HTTPBot is targeting China's gaming, tech, and education sectors, cybersecurity researchers warn. NSFOCUS …

7 hours ago

Meta plans to train AI on EU user data from May 27 without consent

Meta plans to train AI on EU user data from May 27 without consent; privacy…

15 hours ago

AI in the Cloud: The Rising Tide of Security and Privacy Risks

Over half of firms adopted AI in 2024, but cloud tools like Azure OpenAI raise…

17 hours ago

Google fixed a Chrome vulnerability that could lead to full account takeover

Google released emergency security updates to fix a Chrome vulnerability that could lead to full…

18 hours ago

Nova Scotia Power discloses data breach after March security incident

Nova Scotia Power confirmed a data breach involving the theft of sensitive customer data after…

1 day ago