Uncovering Zero-Click Outlook Exploits: Akamai’s Latest Findings

In the ever-evolving landscape of cybersecurity, recent discoveries have unraveled new challenges for the ubiquitous email application, Microsoft Outlook. A series of vulnerabilities, potent enough to be chained together, could allow attackers to execute code remotely without any action from the user—so-called “zero-click” exploits. These findings, developed by Akamai security researcher Ben Barnea, are a stark reminder of the vigilance required in our digital world.

Microsoft has patched two critical vulnerabilities identified by Barnea, marking a continuous battle between safeguarding software and the ingenuity of hackers. The first, CVE-2023-35384, was actively exploited by a Russian threat actor known as APT28 or Forest Blizzard, cutting through client defenses to gain unauthorized access to Exchange servers. This bypass allowed for both privilege escalation and theft of NTLM credentials, highlighting a growing sophistication in cyberattacks.

Meanwhile, the second vulnerability, CVE-2023-36710 in the Audio Compression Manager (ACM), pointed to an integer overflow issue that can come into play through playing a specific type of WAV file. These are potent zero-click exploits that activate simply by previewing an email, exemplified in insightful discussions at Akamai (Part One and Part Two).

The combination of these vulnerabilities, fully addressed by Microsoft in August and October 2023, also casts a shadow on previous patches—namely, CVE-2023-35384 and CVE-2023-29324, both discovered by Barnea as well. Attackers could send an email with a malicious file or URL, leading to code execution on the victim’s machine, an attack method that is as silent as it is deadly. This underscores the importance of updating Outlook and implementing mitigation measures such as microsegmentation, NTLM disabling, or adding users to the Protected Users security group.

Employing a little caution could go a long way. For instance, IT departments and users should actively disable outbound SMB connections to public IP addresses when not needed or implement the safety net of the Protected Users security group which proactively secures accounts by default.

The stark reality is that these vulnerabilities serve as a critical reminder. Regular updates and patches are essential, alongside vigilance in opening email attachments or following suspicious links. Protection also extends to personal practices such as regular data backups and immediate reporting of any anomalous activity to your IT department or directly to Microsoft.

Organizations and individuals alike should prioritize cybersecurity awareness and training, empowering users with the knowledge to prevent attacks. It’s in this collective attention to detail and defense that users can protect themselves against the hidden dangers of zero-click Outlook RCE exploits and other similar attacks, as iterated by Microsoft.