Microsoft has published a comprehensive guide aimed at helping customers identify signs of compromise due to the exploitation of a recently patched Outlook zero-day vulnerability. The vulnerability, tracked as CVE-2023-23397, is a privilege escalation security flaw in the Outlook client for Windows that allows attackers to steal NTLM hashes without user interaction in NTLM-relay zero-click attacks. Threat actors can exploit this vulnerability by sending messages with extended MAPI properties containing UNC paths to attacker-controlled SMB shares.
In the report, Microsoft shares several techniques to determine if credentials have been compromised through CVE-2023-23397 exploits, as well as mitigation measures to protect against future attacks. Although the company has also released a script to help administrators check if any Exchange users have been targeted, Microsoft states that defenders must look for other signs of exploitation if the threat actors have cleaned up their traces by deleting incriminating messages.
Alternative sources of indicators of compromise related to this Outlook flaw include telemetry extracted from various sources such as firewall, proxy, VPN, and RDP Gateway logs, as well as Azure Active Directory sign-in logs for Exchange Online users, and IIS Logs for Exchange Server. Security teams should also check for signs of compromise in forensic endpoint data like Windows event logs and endpoint telemetry from endpoint detection and response (EDR) solutions, if available. In compromised environments, post-exploitation indicators are linked to the targeting of Exchange EWS/OWA users and malicious mailbox folder permission changes that allow attackers to gain persistent access to victims' emails.
Microsoft has also provided guidance on how to block future attacks targeting this vulnerability, emphasizing the importance of installing the recently released Outlook security update. The Microsoft Incident Response team said, "To address this vulnerability, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform) or your organization’s support for NTLM authentication." Additional measures that organizations at risk can take to mitigate such attacks and post-exploitation behavior include:
CVE-2023-23397 has been actively exploited since at least April 2022 and was used to breach the networks of at least 15 government, military, energy, and transportation organizations in Europe. While Microsoft publicly linked these attacks to "a Russia-based threat actor," the company also stated in a private threat analytics report that it believes the hacking group is APT28 (also known as STRONTIUM, Sednit, Sofacy, and Fancy Bear). This threat actor has been previously linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), Russia's military intelligence service. The credentials stolen in these attacks were used for lateral movement and to change Outlook mailbox folder permissions, a tactic that allowed them to exfiltrate emails from specific accounts.
The Microsoft Incident Response team added, "While leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, the exploitation of CVE-2023-23397 is novel and stealthy. Even when users reported suspicious reminders on tasks, initial security review of the messages, tasks, or calendar items involved did not result in detection of the malicious activity. Furthermore, the lack of any required user interaction contributes to the unique nature of this vulnerability."