Microsoft has released a detailed guide to assist customers in detecting signs of compromise by exploiting a recently patched Outlook zero-day vulnerability. This privilege escalation security flaw in the Outlook client for Windows, tracked as CVE-2023-23397, enables attackers to steal NTLM hashes without user interaction in NTLM-relay zero-click attacks.
It can be used by threat actors to send messages with extended MAPI properties containing UNC paths to attacker-controlled SMB shares. In the report, Microsoft shared several techniques for determining whether credentials were compromised by CVE-2023-23397 exploits, as well as mitigation measures to protect against future attacks.
While the company also released a script to assist administrators in determining whether any Exchange users have been targeted, Redmond stated that defenders must look for other signs of exploitation if the threat actors have cleaned up their traces by deleting any incriminating messages.
Alternative sources of indicators of compromise associated with this Outlook flaw include telemetry extracted from multiple sources such as firewall, proxy, VPN, and RDP Gateway logs, as well as Azure Active Directory sign-in logs for Exchange Online users and IIS Logs for Exchange Server.
Forensic endpoint data such as Windo
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: