Friday Microsoft has shared a guide to help customers discover the indicators of compromise (IoC) associated with a recently patched Outlook vulnerability.

What is this Outlook vulnerability?

Marked as CVE-2023-23397 (CVSS score: 9.8), the critical flaw refers to a case of privilege “bypassing” that could be exploited to steal NT Lan Manager (NTLM) hashes and stage a forwarding attack without requiring any interaction by the user.

“The attackers [hacker, dunque] outsiders may send specially crafted emails which will cause a connection from the victim to an untrusted location of the attackers control“, has stated the company in a notice released this month.

“This will leak the hash Net-NTLMv2 of the victim to the untrusted network which an attacker can then forward to another service and authenticate himself as a victim“.

The vulnerability has been fixed by Microsoft as part of the Patch Tuesday updates for March 2023but not before Russian-based threat actors weaponized the flaw in attacks against government, transportation, energy and military sectors in Europe.

Microsoft’s response team said they found evidence of the potential exploitation of the vulnerability as early as April 2022.

In an attack chain described by the tech giant (Microsoft), a successful Net-NTLMv2 relay attack allowed the threat actor to gain unauthorized access to an Exchange server and change mailbox folder permissions to permanent access.

The email account used via compromised Outlook was then used to extend the adversary’s access within the compromised environment by sending additional malicious messages to target other members of the same organization.

“While exploiting NTLMv2 hashes to gain unauthorized access to resources is not a new technique, exploiting CVE-2023-23397 is new [nuovo come tecnica di hacking] and stealthy“, has stated Microsoft.

“Organizations should review SMBClient event logging, process creation events, and other available network telemetry to identify potential exploitation via CVE-2023-23397“.

The disclosure comes as the US Cybersecurity and Infrastructure Security Agency (CISA) has released a new open source incident response tool that helps detect signs of malicious activity in Microsoft cloud environments (including, fittingly, Outlook).

Nicknamed Untitled Goose Toolthe Python-based utility offers “new methods of authentication and data collectionto analyze Microsoft Azure, Azure Active Directory and Microsoft 365 environments, the agency said.

Earlier this year, Microsoft also urged customers to keep their on-premises Exchange servers up-to-date and take steps to harden their networks to mitigate potential cyber threats.

Among other things, remember that very often the average Windows user is not exactly a top, consequently, no matter how many attacks there are (or presumed to be such, they are often oversights), common sense is the most powerful antivirus at our disposal.

Said this, if you don’t trust Outlook, there are various alternatives on the market, between Mozilla’s classic Thunderbird, the Windows Mail service installed from Windows 8.1 onwards (very practical), or simply access your email via browser.

In any case this problem was recently corrected (just update, many still don’t understand the importance of updates…).

Having said that: happy surfing!