Critical vulnerability CVE-2023-23397 in Microsoft Outlook

The Security Lab, Hornetsecurity’s in-house security laboratory, has discovered a serious vulnerability in Microsoft Outlook that is currently being exploited by cyber criminals. The vulnerability has the designation CVE-2023-23397 and is classified according to the Common Vulnerability Scoring System (CVSS) with a value of 9.8.

It allows an unauthorized attacker to compromise systems with a specially crafted email. This malicious email gives him unauthorized access to the recipient’s credentials.

Attacks against CVE-2023-23397 will increase

“Now that the first proofs of concept have already been published, it can be assumed that attacks on the CVE-2023-23397 vulnerability will increase,” explains Umut Alemdar, Head of Security Lab at Hornetsecurity. “We therefore recommend that all Microsoft Outlook users install the security patches provided by Microsoft as soon as possible.”

Thanks to Advanced Thread Protection (ATP), Hornetsecurity’s modern security system is able to quarantine emails that want to exploit this vulnerability. “This prevents the emails from reaching the victim’s inbox,” Alemdar continues.

Attack before the preview

The vulnerability is already initiated by the Outlook client retrieving and processing a malicious email. An attack can thus occur even before the e-mail is displayed in the preview window. The attacker directs his victim into an environment he controls. This results in the victim’s Net-NTLMv2 hash, a challenge-response protocol used for authentication in Windows environments, being leaked. The attacker can pass this information to another service, thereby authenticating themselves as the victim and further compromising the system.

The attack turns out to be less complex and, according to Microsoft, has already been observed in practice. The vulnerability was used to attack European government, military, energy and transport companies. Microsoft was first notified of CVE-2023-233397 by CERT-UA (Computer Emergency Response Team for Ukraine).

A proof-of-concept created by Hornetsecurity’s Security Lab team shows that the attack is particularly difficult to detect: all anti-malware and sandbox services included in VirusTotal failed to classify it as dangerous.