Fancy Bear Exploits Outlook Flaw to Hijack Microsoft Exchange

A Russia state-sponsored threat group, Fancy Bear, was identified as actively exploiting a known Outlook flaw to steal sensitive information by accessing emails within the Exchange servers.

The flaw CVE-2023-23397 (CVSS score 9.8) when successfully exploited allows hackers to access targets’ email accounts to retrieve ‘’high-value information’’, revealed Polish Cyber Command, which partnered with Microsoft in this investigation.

The investigation further revealed that without any user interaction, the vulnerability can be exploited with a specially crafted message to the victim. ‘’The user does not need to interact with the message: if Outlook on Windows is open when the reminder is triggered, it allows exploitation,’’ Microsoft said.

The flaw not only allows the theft of sensitive information, but also allows hackers to steal NTLMv2 hashes, thus granting system privileges. Using owner privilege, APT28 changed mailbox folder permissions, and initiated lateral movement in the compromised environment to not only steal information but also target other members of the same organization.

The flaw affects all versions of Outlook for Windows, except Outlook for Android, iOS, Mac, and users who use Outlook on the web (OWA) without using the Outlook client. According to the tech giant, APT28 is believed to have been exploiting this vulnerability since April 2022.

Later in March 2023, Microsoft identified this critical elevation of privilege vulnerability in Outlook on Windows and issued patches for this zero-day bug.

The company also revealed the other publicly available vulnerabilities exploited by APT28, like WinRAR CVE 2023-38831 and the MSHTML Remote Code Execution CVE 2021-40444.

Microsoft urged all users to apply the latest available security updates, reset passwords of compromised accounts, and enable multi-factor authentication (MFA) for all users.