Microsoft Pins Outlook Zero-Day Attacks on Russian Actor
Microsoft’s threat intelligence team is blaming a “Russian-based threat actor” for newly disclosed in-the-wild attacks targeting a critical vulnerability in its flagship Microsoft Outlook software.
One day after sounding an alarm for live exploitation of the Outlook security flaw, Microsoft said it traced the exploit to a Russian hacker targeting a limited number of organizations in government, transportation, energy, and military sectors in Europe.
They didn’t identify the threat actor or provide indicators of compromise (IOCs) to help defenders hunt for signs of compromise. However, in a nod to the severity of the issue, the Microsoft Security Response Center (MSRC) published mitigation guidance and offered a CVE-2023-23397 script to help with the audit and cleanup.
- The new documentation describes the CVE-2023-23397 bug as a critical privilege escalation issue in Microsoft Outlook that is triggered when an attacker sends a message with an extended Message Application Program Interface (MAPI) property with a Universal Naming Convention (UNC) path to an SMB (TCP 445) share on a threat actor-controlled server.
- “We strongly recommend all customers update Microsoft Outlook for Windows to remain secure,” Microsoft said.
- “To determine if your organization was targeted by actors attempting to use this vulnerability, Microsoft is providing documentation and a script at https://aka.ms/CVE-2023-23397ScriptDoc”.
- Organizations should review the output of this script to determine risk.
- Tasks, email messages, and calendar items that are detected and point to an unrecognized share should be reviewed to determine if they are malicious.
- If objects are detected, they should be removed or clear the parameter.
- If no objects are detected, it is unlikely the organization was targeted via CVE-2023-23397.