Microsoft Patches Outlook Zero-Day Exploited by Russian Hackers

March 14, 2023

Microsoft has patched a critical Outlook zero-day vulnerability (CVE-2023-23397) exploited by a hacking group linked to Russia's military intelligence service GRU to target European organizations. The vulnerability was exploited in attacks to target and breach the networks of fewer than 15 government, military, energy, and transportation organizations between mid-April and December 2022.

The hacking group sent malicious Outlook notes and tasks to steal NTLM hashes via NTLM negotiation requests by forcing the targets’ devices to authenticate to attacker-controlled SMB shares. The stolen credentials were used for lateral movement within the victims' networks and to change Outlook mailbox folder permissions, a tactic allowing for email exfiltration for specific accounts.

Microsoft recommends immediately patching CVE-2023-23397 to mitigate this vulnerability to thwart any incoming attacks. The company also advises adding users to the Protected Users group in Active Directory and blocking outbound SMB (TCP port 445) if patching is not immediately possible. Microsoft also released a dedicated PowerShell script to help admins check if any users in their Exchange environment have been targeted using this Outlook vulnerability. As Microsoft explains, "The connection to the remote SMB server sends the user's NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication."

Related News

• Microsoft March 2023 Patch Tuesday Fixes 2 Zero-Days, 83 Flaws

Latest News

• Microsoft Patches Windows Zero-Day Exploited in Ransomware Attacks
• Microsoft March 2023 Patch Tuesday Fixes 2 Zero-Days, 83 Flaws
• Adobe Warns of Zero-Day Exploits in ColdFusion
• Fortinet Patches High-Severity FortiOS Bug Used in Zero-Day Attacks
• BlackLotus Secure Boot Bypass Malware Set to Ramp Up