Microsoft has fixed a zero-day vulnerability (CVE-2023-23397) in Outlook that was exploited by a hacking group with ties to Russia’s military intelligence service, GRU. The hacking group, known under various names such as APT28, STRONTIUM, Sednit, Sofacy, and Fancy Bear, used the security flaw to target European organizations in sectors including government, military, energy, and transportation between April and December 2022.
The hackers sent malicious Outlook notes and tasks to steal NTLM hashes via NTLM negotiation requests, forcing targeted devices to authenticate to attacker-controlled SMB shares. The stolen credentials were then used for lateral movement within the victims’ networks and for changing Outlook mailbox folder permissions, enabling email exfiltration for specific accounts.
Microsoft shared this information in a private threat analytics report available to customers with Microsoft 365 Defender, Microsoft Defender for Business, or Microsoft Defender for Endpoint Plan 2 subscriptions. The vulnerability (CVE-2023-23397) was reported by CERT-UA, Ukraine’s Computer Emergency Response Team. It is a critical Outlook elevation of privilege security flaw that can be exploited without user interaction in low-complexity attacks.
Threat actors can exploit the vulnerability by sending messages with extended MAPI properties containing UNC paths to an SMB share (TCP 445) under their control. Microsoft explains that the connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.
CVE-2023-23397 affects all supported versions of Microsoft Outlook for Windows but does not impact Outlook for Android, iOS, or macOS versions. Online services like Outlook on the web and Microsoft 365, which do not support NTLM authentication, are also not vulnerable to attacks exploiting this NTLM relay vulnerability.
Microsoft strongly recommends users immediately patch CVE-2023-23397 to mitigate the vulnerability and prevent incoming attacks. If patching is not immediately possible, the company advises adding users to the Protected Users group in Active Directory and blocking outbound SMB (TCP port 445) to limit the impact of CVE-2023-23397.
To assist administrators in detecting and mitigating targeted attacks, Microsoft has released a dedicated PowerShell script that checks Exchange messaging items (mail, calendar, and tasks) for properties populated with a UNC path. The script can be used to clean up malicious properties or even delete items permanently. In Cleanup mode, the script can also modify or delete potentially malicious messages found on the audited Exchange Server.