Microsoft patched a security vulnerability this week that could be used by remote attackers to circumvent recent patches of a zero-day Outlook security flaw abused in the wild.

This no-click bypass (CVE-2023-29324) has an impact on all supported versions of Windows and was reported by Akamai security researcher Ben Barnea.

“All versions of Windows are affected by the vulnerability. Therefore, all versions of the Outlook client on Windows are exploitable”, Barnea explained.

Outlook zero-day bug patched in March (CVE-2023-23397) is a privilege escalation flaw in the Outlook client for Windows that allows attackers to steal NTLM hashes without user interaction in relay attacks NTLM.

Threat actors can exploit it by sending messages with extended MAPI properties containing UNC paths to custom notification sounds, which forces the Outlook client to connect to SMB shares under their control.

Microsoft fixed the issue by including a MapUrlToZone call to ensure that UNC paths are not tied to Internet URLs, and replacing sounds with default callbacks if they did.

Outlook No-Click Elevation Workaround

While analyzing the CVE-2023-23397 mitigation, Barnea discovered that the URL in callback messages could be changed to trick MapUrlToZone checks into accepting remote paths as local paths.

This bypasses Microsoft’s patch and forces the Windows Outlook client to connect to the attacker’s server.

“This problem appears to be the result of complex path management on Windows“, explains Barnea.

In light of Barnea’s findings, Microsoft warns that “Customers should install updates for CVE-2023-23397 and CVE-2023-29324 to be fully protected.”

Although Internet Explorer has been removed, the vulnerable MSHTML platform is still used by some applications through the WebBrowser control, as well as Internet Explorer mode in Microsoft Edge.

For this reason, Redmond urges customers to install both this month’s security updates and the cumulative IE updates released to address the CVE-2023-29324 vulnerability to stay fully protected.

Exploited by Russian state hackers for data theft

As Microsoft revealed in a private threat analysis report, it was operated by Russian state hackers APT28 (a.k.a STRONTIUMSednit, Sofacy, or Fancy Bear) in attacks on at least 14 government, military, energy, and transportation organizations between mid-April and December 2022.

APT28 has been linked to the Russian military intelligence service, the main directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

Threat actors used malicious Outlook Notes and Tasks to steal NTLM hashes by forcing their targets’ devices to authenticate to attacker-controlled SMB shares.

These stolen credentials were used for lateral movement within the victims’ networks and to modify Outlook mailbox permissions to exfiltrate emails for specific accounts.

Microsoft published a script to help Exchange administrators check if their servers have been hacked, but also advised them look for other signs of exploitation if the threat actors clean up their tracks.