Microsoft shares tips on detecting Outlook zero-day exploitation

Microsoft today published a detailed guide to help customers discover signs of compromise via exploiting a recently patched Outlook zero-day vulnerability.

Tracked as CVE-2023-23397, this privilege escalation security flaw in the Outlook client for Windows enables attackers to steal NTLM hashes without user interaction in NTLM-relay zero-click attacks.

The threat actors can exploit it by sending messages with extended MAPI properties containing UNC paths to attacker-controlled SMB shares.

Microsoft shared multiple techniques to discover if credentials were compromised via CVE-2023-23397 exploits and mitigation measures to defend against future attacks.

While the company also released a script to help admins check if Exchange users have been targeted, Redmond said that defenders have to look for other signs of exploitation if the threat actors have cleaned up their traces by deleting any incriminating messages.

Alternate indicators of compromise linked to this Outlook flaw include telemetry extracted from multiple sources such as firewall, proxy, VPN, and RDP Gateway logs, as well as Azure Active Directory sign-in logs for Exchange Online users and IIS Logs for Exchange Server.

Other places security teams should check for signs of compromise are forensic endpoint data like Windows event logs and endpoint telemetry from endpoint detection and response (EDR) solutions (if available).

In compromised environments, post-exploitation indicators are linked to the targeting of Exchange EWS/OWA users and malicious mailbox folder permission changes allowing the attackers to gain persistent access to the victim’s emails.

CVE-2023-23397 exploitation
Image: Microsoft

CVE-2023-23397 mitigation measures

Microsoft also shared guidance on how to block future attacks targeting this vulnerability, urging organizations to install the recently released Outlook security update.

“To address this vulnerability, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform) or your organization’s support for NTLM authentication,” the Microsoft Incident Response team said.

Other measures at-risk organizations can take to mitigate such attacks and post-exploitation behavior include:

  • For organizations leveraging on-premises Microsoft Exchange Server, apply the latest security updates to ensure that defense-in-depth mitigations are active.
  • Where suspicious or malicious reminder values are observed, use the script to remove the messages or just the properties and consider initiating incident response activities.
  • For any targeted or compromised user, reset the passwords of any account logged in to computers of which the user received suspicious reminders and initiate incident response activities.
  • Use multifactor authentication to mitigate the impact of potential Net-NTLMv2 Relay attacks. NOTE: This will not prevent a threat actor from leaking credentials and cracking them offline.
  • Disable unnecessary services on Exchange.
  • Limit SMB traffic by blocking connections on ports 135 and 445 from all inbound IP addresses except those on a controlled allowlist.
  • Disable NTLM in your environment.

Source: BleepingComputer