Product Impacted: Microsoft Outlook
Criticality score: 9.8 Critical
On the 14th March 2023, Microsoft published details of a critical Outlook vulnerability known to have been exploited by threat actors. The vulnerability, tracked under CVE-2023-23397, allows attackers to obtain NTLM hashes by sending specially crafted emails to a victim which will exploit the vulnerability without their interaction.
According to Microsoft Security Resource Center (MSRC), this vulnerability has been actively exploited since April 2022 by the Russia-based threat actor APT28. The group have targeted numerous sectors in Europe including government, transport, energy, and military.
The crafted email will contain a MAPI property which has a path to an SMB share that the threat actor controls. Once the email is received the device will connect to the SMB share sending the user an NTLM negotiation message. This can then be reused for authentication against other NTLM supported systems. Online services including Microsoft 365 do not support NTLM authentication and therefore are not vulnerable to this exploit.
All currently supported versions of Outlook for Windows are impacted by this vulnerability and Microsoft has released a security update for this that SenseOn recommends. If it is not possible to apply these security updates, Microsoft has advised adding users to the ‘Protected Users Security Group’ which will prevent the use of NTLM for authentication. Alternatively, it is recommended outbound SMB connections (TCP port 445) are blocked.
SenseOn’s detection capabilities mean that we are able to provide coverage across the estate for post breach activities related to this vulnerability. SenseOn provides detections to identify abnormal external connections over uncommon protocols, which will allow us to identify attempts to communicate to external servers over SMB port 445. In addition to this, SenseOn have various detections targeting related behaviour patterns that the SenseOn SOC are monitoring.
SenseOn’s approach to threat is to provide a mixture of behavioural and machine learning detections to identify behaviors such as lateral movement, command and control (C2) traffic and exfiltration.
It is this coverage that allows SenseOn to accurately detect the subsequent behaviours of an attacker who may look to exploit CVE-2023-23397.
Microsoft have provided a script which can be executed in PowerShell to detect exploit attempts on a device. SenseOn has updated the Hunt Library with the following queries so that you can also hunt through your own telemetry.
@placeholder('days','int','Days to look back',7) WITH groupUniqArray(name) as names, groupUniqArray(version) as versions SELECT DISTINCT _hostname as Device, CASE WHEN lower(name) LIKE '%outlook%2016%' THEN 'Microsoft Outlook 2016' WHEN lower(name) LIKE '%outlook%2013%pack%' THEN 'Microsoft Outlook 2013 Service Pack 1' WHEN lower(name) LIKE '%office%2019%' THEN 'Outlook 2019' WHEN lower(name) LIKE '%365%apps%' THEN 'Microsoft 365 Apps for Enterprise' WHEN lower(name) LIKE '%office%ltsc%' THEN 'Microsoft Office LTSC 2021' END as Product, max(version) as ProductVersion, multiIf( ( Product = 'Microsoft Outlook 2016' AND arrayStringConcat(names, '') LIKE '%KB5002254%' ), 'patched', ( Product = 'Microsoft Outlook 2013 Service Pack 1' AND arrayStringConcat(names, '') LIKE '%KB5002265%' ), 'patched', ( Product = 'Outlook 2019' AND ProductVersion LIKE '%.10396.20023' ), 'patched', ( Product = 'Microsoft 365 Apps for Enterprise' AND ProductVersion LIKE '%.16130.20306' ), 'patched', ( Product = 'Microsoft Office LTSC 2021' AND ProductVersion LIKE '%.14332.20481' ), 'patched', 'vulnerable' ) as Status FROM endpoint_program WHERE _time_observed >= toUnixTimestamp(subtractDays(now(), :days)) * 1000 AND ( ( lower(name) LIKE '%outlook%2016%' OR lower(name) LIKE '%outlook%2013%pack%' OR lower(name) LIKE '%office%2019%' OR lower(name) LIKE '%365%apps%' OR lower(name) LIKE '%office%ltsc%' ) ) AND lower(name) NOT LIKE '%azure%' GROUP BY _hostname, Product HAVING Status != 'patched'
@placeholder('days', 'int', 'How many days back to check', 7) SELECT DISTINCT source_ip as SourceIP, groupUniqArray(source_hostname) as Hostnames, groupUniqArray(auth_username) as AuthenticationUsernames, dest_ip as Destination, groupUniqArray(dest_hostname) as UniqueHostnames, groupUniqArray(dest_geo_country_code) as ConnectionLocations, count(*) as Connections FROM network_ntlm WHERE _time_observed >= toUnixTimestamp(subtractDays(now(), :days)) * 1000 AND dest_network = 'external' GROUP BY source_ip, dest_ip ORDER BY Connections DESC
|Microsoft Outlook 2016||KB5002254 |
|Microsoft Outlook 2013 Service Pack 1||KB5002265 |
|Microsoft Outlook 2013 RT Service Pack 1||KB5002265 |
|Microsoft Office 2019||Version 1808 (Build 10396.20023) |
|Microsoft 365 Apps for Enterprise||Version 2302 (Build 16130.20306) |
|Microsoft Office LTSC 2021||Version 2108 (Build 14332.20481) |
SenseOn strongly recommends updating to a patched version as soon as possible as this is the most effective way to protect yourself from the exploit. Microsoft has released a helpful update guide, which is linked below.
Adding users to the ‘Protected Users Security’ group would prevent the of NTLM as an authentication mechanism, this however may cause issues for some users accessing NTLM applications.
Alternatively, Microsoft recommends blocking outbound TCP 445/SMB from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
Although no details have been confirmed, MDSec has found a work around to blocking traffic on port 445 if WebClient is running. Therefore, SenseOn’s primary recommendation is to patch any affected hosts.