Security teams are sounding an alarm about a critical zero-day bug Microsoft patched earlier this month that allows adversaries to trigger an elevation of privilege attack within all versions of Microsoft's Windows Outlook. They fear a recently released proof-of-concept attack coupled with the ease of exploitation of the flaw could lead to "broad, rapid adoption" of the vulnerability.
Tracked as CVE-2023-23397 with a CVSS rating of 9.8, the bug only needs a specially crafted email to trigger the vulnerability. Adversaries only need to send a maliciously crafted email that will be processed by the Outlook client to trigger the exploit on unpatched versions of Windows Outlook.
Researchers at MDsec published the proof of concept on March 14 showing that they were able to create a malicious Outlook calendar appointment that immediately triggers NTLM authentication as soon as the email is opened. And as Deep Instinct pointed out, the vulnerability could also be exploited with a malicious task in Outlook.
NTLM is an authentication protocol first introduced in 1993 with Windows NT 3.1 that has long been phased out and considered a security risk. The chief concern of NTLM is about of the protocol via a hacking technique called pass the hash. More recent protocols such as Kerberos have replaced outdated NTLM security measures.
As Deep Instinct noted in a March 16 blog post: “Such an email could lead to exploitation before the email is viewed in the Preview Pane, which allows an attacker to steal credential hashes by forcing the target’s devices to authenticate to an attacker-controlled server.”
Deep Instinct also reported that it found additional samples exploiting the vulnerability, including the potential attack that Ukraine cyber authorities reported to Microsoft, which led the software giant to determine that a Russia-based threat actor used it to breach European organizations in the military, energy, transportation and government sectors between April and December 2022.
The vulnerability may have been exploited even earlier than 2022 by Iran, wrote researchers at Deep Instinct Threat Lab, which said they observed NTLM harvesting in 2020. Russia and Iran have a cyber-cooperation agreement.
Other versions of Outlook on Android, iOS, Mac and Outlook on the web are not affected, according to Microsoft, but security researchers urge everyone using the Outlook application to patch their systems as soon as possible and to run the PowerShell script provided by Microsoft to retroactively find malicious emails.