CVE-2023-23397 – Microsoft Outlook Privilege Elevation Critical Vulnerability
Written by Lina Jiménez Becerra, Anton Jörgensson and Mark Stueck of the Kudelski Security Threat Detection & Research Team
CVE-2023-23397: Ability to exploit an Elevation of Privileges by Microsoft Outlook processing a specially crafted incoming email
CVE-2023-23397 is an actively exploited zero-day vulnerability affecting Microsoft Outlook that was reported in Microsoft March 2023 Patch Tuesday. Using NTLM Relay attack techniques, an external attacker could prepare a crafted email that once retrieved and processed by victim’s Outlook client, generates a connection from the victim to an external location of the attackers’ control. And by doing it, the attacker can know the required Net-NTLMv2 victim’s hash to authenticate as the victim against another service.
Publicly available information sources mention that the vulnerability is known to have been actively exploited in-between April and December 2022 by APT28, a Threat Actor known to be linked to Russia’s intelligence services, to target the network of government, military, energy, and transportation organisations.
