CVE-2023-23397: Microsoft Outlook Privilege Escalation Vulnerability Leads to NTLM Relay Attack

Category: Vulnerability | Industry: Global | Level: Tactical | Source: Microsoft

Microsoft's patch Tuesday for the month of March revealed a Microsoft Outlook elevation of privilege vulnerability, CVE-2023-23397. As explained in Microsoft's advisory, external "attackers could send specially crafted emails causing a connection from the victim to an external UNC location of attackers' control. This connection will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim." In addition, Microsoft states the vulnerability can be triggered when the preview pane is opened, even before the email containing the flaw is read enabling the vulnerability to be triggered "automatically when it is retrieved and processed by the email server." Threat actors exploiting this vulnerability, were observed to have obtained NTLM hashes of their targets to gain access to their networks. Once inside, they then proceeded to steal emails belonging to particular accounts.

Anvilogic Use Case:

• AVL_UC16938 - Potential CVE-2023-23397

‍