Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)

Regarding: CVE-2023-23397

This is a fast publish, use at own risk.

See guidance from Microsoft: CVE-2023-23397 – Security Update Guide – Microsoft – Microsoft Outlook Elevation of Privilege Vulnerability

If you need to mitigate the latest Outlook vulnerability which abuses an SMB/WebDav call using the Calendar invite feature you can consider the following:

Defence

Threat hunting with some funny results!

You never know what you will find when you go hunting! So here’s a quick tale of an explore I did using Advanced Hunting!

I went hunting here in Advanced Hunting:

Education

Password Spraying Office 365

Clearly this is for penetration testing, not for evil! So if you have to pentest Office 365 you might want to be attacking the authentication services. This will be aligned to the tenant you are testing, as always make sure you have authorisation.

Deploy to your favourite LINUX instance or WSL etc.

Hacking

Office 365/Azure Pentest Tools

I’m not going to talk about these… yet… and there’s duplicates because I think it’s useful to see where they can be used in different scenarios. Expect this list to grow!

Defense

Defending Against Direct Authentication Attacks in Microsoft Office 365

Whilst conducting security testing and assurance activities, I went looking to show logon events in Office 365. My first query was on IdentityEvents, this led to a view of a multi month attack by a threat actor/s against a tenent, followed by exploring the rabbit hole of logs and computer systems. This blog summarises some of the methods and findings when considering threat hunting and authentication defences for Office 365. (bear with me I am tired so this might need a bit of a tune up later!)

Defense

Hardening Office 365 PowerShell Access

Only admins can use PowerShell, right? Wrong! In Office 365 and Azure AD standard users can connect using PowerShell.

In this quick post we are going to look at how to disable users from being able to read other users data using the MSOL cmdlets. (this also appears to limit AzureAD cmdlets access as well)

Disable MSOL Read Access

Run the following command as a global admin: Read more “Hardening Office 365 PowerShell Access” →