



Microsoft’s threat intelligence team accuses a Russia-based threat actor of recently disclosing attacks in the wild targeting a critical vulnerability in its flagship Microsoft Outlook software. A day after raising the alarm over the live exploit of the Outlook security flaw, Microsoft said it attributed the exploit to a Russian APT targeting a limited number of organizations in government, transportation, energy and military in Europe. Redmond did not identify the actor or provide indicators of compromise (IOCs) to help defenders look for signs of compromise. However, in a nod to the seriousness of the problem, the Microsoft Security Response Center (MSRC) has released mitigation tips and offered a CVE-2023-23397 scenario to help with auditing and cleaning. We strongly recommend that all customers update Microsoft Outlook for Windows to stay secure, Microsoft said. From new MSRC documentation:

To determine if your organization has been targeted by actors attempting to use this vulnerability, Microsoft provides documentation and a script at https://aka.ms/CVE-2023-23397ScriptDoc. Organizations should review the output of this script to determine risk. Tasks, email messages, and calendar items that are detected and point to an unrecognized share should be investigated to determine if they are malicious. If objects are detected, they should be removed or clear the setting. If no object is detected, it is unlikely that the organization was targeted via CVE-2023-23397. New documentation describes bug CVE-2023-23397 as a critical privilege escalation issue in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB share (TCP 445) on a threat actor. – server controlled. No user interaction is required, Microsoft warned. Since this flaw could lead to an exploit BEFORE the email is displayed in the preview pane, corporate security teams are advised to prioritize the deployment of this update. Connecting to the remote SMB server sends users an NTLM handshake message, which the attacker can then relay to authenticate to other systems that support NTLM authentication. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to attacks from these messages, Redmond added. Microsoft Outlook Day Zero headlined a busy Patch Tuesday that saw the rollout of fixes for 80 vulnerabilities across a wide range of Windows operating systems and software products. Microsoft also reported a second vulnerability CVE-2023-24880 for urgent attention and savvy attackers continue to actively bypass its SmartScreen security feature. The company has struggled to contain attackers bypassing SmartScreen technology that has been integrated into Microsoft Edge and the Windows operating system to help protect users from phishing and social engineering malware downloads. The notorious Magniber ransomware operation was observed exploiting the SmartScreen circumvention technique, prompting Microsoft to make several attempts to mitigate the issue. Related: Microsoft warns against Outlook zero-day exploit and fixes 80 security vulnerabilities Related: Microsoft Fixes MotW Zero-Day Exploited For Malware Delivery Related: Microsoft fixes exploited Windows hole in ransomware attacks Related: Adobe Warns of Very Limited ColdFusion Zero-Day Attacks

