• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

Microsoft Outlook Elevation of Privilege Vulnerability

Released: Mar 29, 2023

Download PDF »

Microsoft Outlook Elevation of Privilege

High Severity

MS Outlook Platform

Microsoft Vendor

Vulnerability Type

Subscribe

No-interaction, zero day vulnerability exploited in the wild

CVE-2023-23397 is a critical elevation of privilege (EoP) vulnerability in Microsoft Outlook. It is a zero-touch exploit, meaning the security flaw requires no user interaction to be abused. All supported versions of Microsoft Outlook for Windows are affected including other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web. Learn More »

Common Vulnerabilities and Exposures

CVE-2023-23397

Background

CVE-2023-23397 is a critical privilege elevation/authentication bypass vulnerability in Outlook, released as part of the March Patch Tuesday set of fixes. Threat actors are exploiting this vulnerability by sending a malicious email which again, does not need to be opened. From here, attackers may capture Net-NTLMv2 hashes, which enable authentication in Windows environments. This allows threat actors to potentially authenticate themselves and escalate privileges, or further compromise the environment.

Threat Radar Overall Score:
CVSS Rating 9.0
FortiRecon Score 96/100
Known Exploited Yes
Exploit Prediction Score 92.64%
FortiGuard Telemetry 10

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


March 14, 2023: Microsoft Mitigates Outlook Elevation of Privilege Vulnerability
https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/


March 24, 2023: Microsoft released guidance for investigating attacks using CVE-2023-23397
https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

FortiGuard Labs recommends users to follow vendor guidelines for patching affected versions of Outlook. Microsoft has also provided a PowerShell script designed to scan emails, calendar entries, and task items, and to verify if they have the malicious property. https://github.com/microsoft/CSS-Exchange/blob/a4c096e8b6e6eddeba2f42910f165681ed64adf7/docs/Security/CVE-2023-23397.md.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • AV

  • Vulnerability

  • AV (Pre-filter)

  • Behavior Detection

  • Anti-spam

  • IPS

DETECT

  • IOC

  • Outbreak Detection

  • Threat Hunting

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • InfoSec Services

IDENTIFY

  • Attack Surface Monitoring (Inside & Outside)

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
86.105.18.113 ip Active
74.208.228.186 ip Active
213.32.252.221 ip Active
185.132.17.160 ip Active
frge.io domain Active
193.138.218.161 ip Active
141.98.255.143 ip Active
202.175.177.238 ip Active
176.97.66.57 ip Active
bugiplaysec.com domain Active
85.195.206.7 ip Active
5c30f03a491ee5bde61a0b419faed0e43179c8f5ce99400... file Active
d440ae7072df94458a9da84ea3f91b03df4693f328066a8... file Active
9284c65ee99c6f8cb5c4b0eb68bcd9a135443ae3bb1b568... file Active
http://213.32.252.221/silence url Active
101.255.119.42 ip Active
113.160.234.229 ip Active
168.205.200.55 ip Active
181.209.99.204 ip Active
24.142.165.2 ip Active
101.255.119.42:445 ip Active
113.160.234.229:445 ip Active
168.205.200.55:445 ip Active
181.209.99.204:445 ip Active
185.132.17.160:445 ip Active
213.32.252.221:445 ip Active
85.195.206.7:445 ip Active
61.14.68.33 ip Active
61.14.68.33:445 ip Active
69.162.253.21 ip Active
69.162.253.21:445 ip Active
82.196.113.102 ip Active
82.196.113.102:445 ip Active
45.138.87.250 ip Active
45.138.87.250:443 ip Active
5.199.162.132 ip Active
77.243.181.10 ip Active
77.243.181.10:443 ip Active
ceriossl.info domain Active
globalnewsnew.com domain Active
http://101.255.119.42/event/2431 url Active
http://113.160.234.229/istanbul url Active
http://5.199.162.132/SCW url Active
sourcescdn.net domain Active
2bb4c6b32d077c0f80cda1006da90365 file Active
3d4362e8fe86d2f33acb3e15f1dad341 file Active
9f4172d554bb9056c8ba28e32c606b1e file Active
accounts@regencyservice.in email Active
dominic@mdsec.co.uk email Active
e6efaabb01e028ef61876dd129e66bac file Active
jayan@wizzsolutions.com email Active
maint@goldenloafuae.com email Active
tv@coastalareabank.com email Active
ece085c17ac5e822b78c533366e725bc845e215dcda78c0... file Active
68.76.150.97 ip Active
85.240.182.23 ip Active
174.53.242.108 ip Active
24.11.70.85 ip Active
settings-panel.frge.io domain Active
packinstall.kozow.com domain Active
62.4.36.126 ip Active
92df1d2125f88d0642e0d4919644376c09e1f1e0eaf48c3... file Active
42.98.5.225 ip Active
69.51.2.106 ip Active
http://101.255.119.42/mail/a5b3553d url Active
http://168.205.200.55/test url Active
http://181.209.99.204/information url Active
http://185.132.17.160/aojv43 url Active
http://213.32.252.221/fwd url Active
http://24.142.165.2/req url Active
http://42.98.5.225/ping url Active
http://61.14.68.33/rem url Active
http://69.162.253.21/pets url Active
http://69.51.2.106/report url Active
http://85.195.206.7/lrmng url Active
http://85.195.206.7/power url Active
50.173.136.70 ip Active
339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e... file Active
89.96.196.150:8080 ip Active
89.96.196.150 ip Active
77cf5efde721c1ff598eeae5cb3d81015d45a74d9ed885b... file Active
38.180.76.31 ip Active
recsecas.com domain Active
238334590d0f62d2a089bd87ad71b730 file Active
3b698278f225f1e5bace9d177a1a95e0 file Active
43a0441b35b3db061cde412541f4d1e1 file Active
65fdbc35bc8c3a2f0e872dbbfd32c7a7 file Active
7ee19e6bd9f55ebc0dd6413c68346de6 file Active
92e22b7e96aca3f9d733ca609ab0b589 file Active
9a97c56c9ea6d9ebde0968580ea28ea9 file Active
ashoke.kumar@hbclife.in email Active
b21dde4c19e2f6fc08a922e25de38cf5 file Active
b5d82be5813c7dacbd97ef5df073b260 file Active
ce65c51078b7c69a6f50b0b37a36293f file Active
commercial@vanadrink.com email Active
e68cbd4930e2781e0c1b19eb72ec0936 file Active
f60350585fbfc5dc968f45c6ef4e434d file Active
franch1.lanka@bplanka.com email Active
karina@bhpcapital.com email Active
m.nash@islandsailors.com email Active