Microsoft patches zero-day in Outlook that can be exploited without user action

The Windows version of Outlook contained a critical vulnerability that could be exploited by sending an email that did not need to be opened by the user. The zero-day was in practice misused to authenticate with other systems. Microsoft has released a patch.

CVE-2023-23397 has a CVSS score of 9.8 and is an elevation-of-privilege vulnerability. To exploit the vulnerability, attackers had to send an email with certain mapi properties and an unc path to a server controlled by the attacker. The vulnerability allowed attackers to exploit Outlook’s ntlm authentication to authenticate as the user on other services.

Microsoft says that the vulnerability does not work on Microsoft 365 services, or on the Android, iOS or Mac versions. It is a serious vulnerability, because emails that abuse the vulnerability are immediately processed by Outlook, even if the user has not yet seen the email.

The company has notified certain customers with a threat analytics report, viewed by Bleeping Computer. According to this report, the Russian intelligence service GRU allegedly exploited the vulnerability between April and December 2022 to attack government, energy, transport and military organizations in fewer than 15 countries. The hacker group, known as APT28 or Fancy Bear, among others, is said to have infiltrated networks with the vulnerability and possibly stolen emails.

Microsoft recommends that users update Outlook immediately to close the vulnerability. If this fails, the company recommends adding users in the Protected Users group and blocking outgoing smb requests to tcp port 445. Of a PowerShell script allows users to check whether they have been attacked by the vulnerability. Microsoft discovered the vulnerability with CERT-UA, Ukraine’s Computer Emergency Response team.