Microsoft Guidelines for investigating attacks using CVE-2023-23397

[German]Microsoft is not getting any rest because of the critical Outlook vulnerability CVE-2023-23397. Even though there was a patch as of March 14, 2023, the vulnerability is not 100 percent closed. Late last week, Microsoft published an article to help customers who want to scan their systems for signs of compromise by exploiting the patched Outlook Zero Day vulnerability.


RCE vulnerability, CVE-2023-23397

The vulnerability CVE-2023-23397 in Microsoft Outlook, rated critical, allows third-party privilege exploitation (in conjunction with Microsoft Exchange). Attackers can send a malicious email to a vulnerable version of Outlook. Once Outlook receives this mail (via Exchange), a connection can be established (without user intervention) to a device controlled by the attacker.

The attacker can thus tap the Net-NTLMv2 hash of the email recipient (see also this article from 2019 with explanations). This hash allows an attacker to authenticate as the recipient of the victim in an NTLM relay attack.

Outlook RCE-Schwachstelle CVE-2023-23397 Exploit von 2022

This vulnerability has been actively exploited by Russian attackers since mid-April 2022 (see also this report by deep instinct, which shows cases). It looks like other attackers are also exploiting this vulnerability (see this Palo Alto Networks article). Above tweet states that the email that exploited Outlook vulnerability CVE-2023-23397 in the wild was submitted to VirusTotal back on April 1, 2022. The mail targeted the State Migration Service of Ukraine.

Vulnerability insufficiently patched

This Elevation of Privilege vulnerability (EvP) was rated extremely critical with a CVEv3 score of 9.8. Microsoft had then released a patch on March 14, 2023 (see Patch critical EvP vulnerability CVE-2023-23397 in Outlook). However, the days turned out that the patch does not completely fix the vulnerability. Will Dormann already pointed out in the following tweet on March 17, 2023 that the vulnerabilities could also be triggered with a patch via SMB shares.


In another tweet, Dormann points out that there are also domains that don't have a dot in their name, which could also make it easy to get around Microsoft's fix.

 CVE-2023-23397 in Outlook and dotless domains

Meanwhile, many security researchers are trying different scenarios to exploit the vulnerability. Will Dormann discusses different issues in a sequence of tweets (e.g. attack via an Outlook calendar entry). Subsequent tweet from yesterday outlines the problem again – the security researcher has created a proof of concept (PoC) for exploitation in a network.

Outlook Schwachstelle CVE-2023-23397 weiter angreifbar

I had already addressed this issue of incomplete patching last week in the blog post Outlook vulnerability CVE-2023-23397 not fully patched and also outlined further measures to harden systems.

Microsoft's guidelines for investigating

Then, late last week, Microsoft's security team published an article Guidance for investigating attacks using CVE-2023-2339 – see also the following tweet – colleagues here also noticed it. The article acts as a guide, providing steps that organizations can take to determine if users or systems have already been attacked or compromised via CVE-2023-23397.

Microsoft Incident Response: Investigating attacks that use CVE-2023-23397

Successful exploitation of this vulnerability can lead to unauthorized access to an organization's environment by triggering a Net-NTLMv2 hash leak. Microsoft therefore devotes more detail in the article to how the vulnerability can be exploited by threat actors. Microsoft had indeed published a script that can supposedly be used on Exchange servers to check whether an attack has taken place (see Exchange Server Security Updates (March 14, 2023)). The problem is, however, that the script does not see e-mails that have already been deleted – so you cannot really tell whether the system has been compromised or not.

Microsoft therefore addresses further "indicators of compromise" with regard to this Outlook vulnerability in the guide, which could be used to notice an attack. This includes log files, telemetry data, and also possible registry manipulation that can be controlled by security teams. In compromised environments, permissions to access mailboxes of Exchange EWS/OWA users may have been modified to gain persistent access. For those in this space, the article Guidance for investigating attacks using CVE-2023-23397 provides some guidance for investigating systems.

Similar articles:
Patch critical EvP vulnerability CVE-2023-23397 in Outlook
Patchday: Microsoft Office Updates (March 14, 2023)
Exchange Server Security Updates (March 14, 2023)
Outlook vulnerability CVE-2023-23397 not fully patched


Cookies helps to fund this blog: Cookie settings

This entry was posted in Office, Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *