An announcement from Microsoft, which confirmed a critical vulnerability in its Outlook software (called “CVE-2023-23397”), has placed the cyber security industry on high alert this week. While the full impact of the vulnerability is yet to be uncovered, its severity has been rated at 9.8 out of a maximum of 10 on the Common Vulnerability Scoring System (CVSS). The discovery is particularly concerning because the vulnerability is relatively easy to exploit, requires no user interaction and exposes an excessively wide attack surface.
In a nutshell: threat actors can exploit a vulnerability in Microsoft Outlook emails to execute an attack without the victim even opening the email.
How Can Emails be Re-Configured?
When you write an email, you attach different pieces of information to it, such as the recipient’s name, the subject line, the date the message was sent, or the message body itself. These pieces of information are called “properties”.
Properties can also include more technical information that the average person will not think to configure independently, like the message ID, the size of the message, or whether the message has been read or not. Some zero-day vulnerabilities have now been discovered in technical properties on Microsoft Outlook.
Zero-day vulnerability: a security weakness in a system or device that has been disclosed but is not yet patched.
How Can Threat Actors Exploit this Microsoft Outlook Vulnerability?
Some of these technical properties in the Microsoft Outlook software can be weaponized by threat actors, presenting, in turn, a critical vulnerability.
Attackers do this by configuring additional properties that contain information on where specific data on the victim’s network can be located (called a “path”), together with a window through which the hacker’s computer and the victim’s computer can communicate and share files (more commonly known as “ports”).
The additional properties are attached to malicious calendar invitations, notes or tasks and are then emailed to the victim. Cybersecurity researchers have discovered that malicious actors are able to use these paths and ports to gain backdoor access to the target’s password hash (an especially complex password stored on a computer system to help keep the password secure).
Therefore, once the email is received and then processed by unpatched Outlook software, the attacker is able to execute what is known as a “Pass the Hash” attack – they can use the stolen password hash to evade authentication protocols, and gain undetected access to the user’s computer system, and potentially other computer systems on the same network, without needing to know the actual password.
How Bad is the Impact of the Outlook Vulnerability?
The possible attack surface for this vulnerability potentially stretches across the entire user bases of desktop Outlook, the core IT systems connected to Windows 365 and, in a worst case scenario, to any recipients of emails sent via Outlook. The security weakness could impact organizations of all types and sizes, especially as Outlook is one of the most commonly used email software.
Some threat intelligence analysts believe that the security weakness has been exploited by Russian-backed nation-state actors for nearly a year against government, defense, logistics, transportation, and energy targets based in Poland, Romania, Turkey, and Ukraine. The fact that the vulnerability has reportedly been exploited by Russian-backed nation-state actors for almost a year underscores its severity.
Furthermore, since multiple proof-of-concepts (non-harmful attacks designed to highlight vulnerabilities) are now widely available and no user-interaction is necessary for the attack to be executed, the potential harm is high and the attack vector is likely to be leveraged both for cyber espionage and for financially-motivated, criminal actors.
This vulnerability is particularly challenging to gain control over because it cannot be easily mitigated by tightly structured Privileged Access Management (PAM) and Identity Access Management (IAM) – once the threat actor is armed with the password hash it is harder to manage authentication protocols via the Active Directory. Since it does not require user interaction, employee training and phishing awareness cannot prevent this type of attack.
While the security weakness is said to only impact Windows-based versions of outlook, and not macOS, iOS, Android and other web-based versions, threat actors are presented with a wide spectrum of possible attacks to execute – from data exfiltration, to potentially installing malware, depending on the permissions of the victim.
What Do Cyber Insurance Professionals Need To Do
Contact your clients
Timing is everything with these sorts of cyber threats. Insurance professionals should be contacting their clients to let them know of the vulnerability and the potential wide-reaching impact.
Given the ease at which this vulnerability can be successfully exploited your insureds should be encouraged to adopt appropriate mitigation measures as soon as possible. These include a thorough assessment of their systems and network to check for the affected versions mentioned by Microsoft. In addition, Microsoft has released a security patch to address the issue as part of the latest Patch Tuesday round of security updates. More information can be found on the Microsoft Security Advisory website and on the CVE website.
Refresh your memory with the relevant CCIS course components
Speak to your clients with confidence and avoid creating unnecessary panic by re-visiting materials covered in the Certified Cyber Insurance Specialist (“CCIS”) course. Lessons 3.3 (Attack Surface), 4.6 (Communication Protocols) and 5.6 (IIT Management), should be particularly helpful in providing a wider context to this critical vulnerability.
In conclusion, the recently discovered Microsoft Outlook vulnerability has raised significant concerns among cybersecurity experts due to its high risk of exploitation and wide-reaching impact. It is critical that insurance professionals reach out to their clients to inform them of the vulnerability and encourage them to take appropriate mitigation measures, including a thorough assessment of their systems and network and vigilant patching.
Want to elevate your career with the Certified Cyber Insurance Specialist Course? Find out more here.
