Russian state-sponsored advanced persistent threat operations have been leveraging an already patched critical zero-day in Microsoft Outlook, tracked as CVE-2023-23397, as early as last April, SecurityWeek reports.
Exploiting the vulnerability prompts a Net-NTLMv2 hash leak, which has been used to facilitate initial and credential access, as well as lateral movement and persistence in compromised Outlook accounts, according to a report from Microsoft.
With attacks using the vulnerability found to leave "very limited forensic artifacts" that could be analyzed by endpoint forensic systems, organizations have been urged to strengthen their threat hunting strategy by including reviews of suspicious messages, calendar items, and user-reported tasks with reminders, evaluations of network and endpoint logging, and scans of delivered messages with PidLidReminderFileParameter.
Organizations should also examine NTLM authentication for external of untrusted resources, SMBClient event logs, process execution event-based WebDAV connection attempts, and firewall logs for outbound SMB connections, said Microsoft, which has also provided a detection script for the vulnerability.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds