Phishing attacks related to Outlook calendar sharing and malicious links… Be especially careful
Data security company Varonis recently discovered three new vulnerabilities and sophisticated attack methods, revealing risks associated with Microsoft Outlook and certain Windows programs. The vulnerability could expose users to the risk of compromising NTLM v2 hashes, a critical protocol for authenticating users to remote servers.
CVE-2023-35636 is a vulnerability currently rated as ‘Important’ by Microsoft.
This issue was immediately resolved through a patch update on Tuesday, December 2023, emphasizing the seriousness of the risk posed by this vulnerability. However, Baronis reported that additional issues rated ‘moderate’ remain unpatched, leaving users vulnerable to potentially malicious attacks.
A way to exploit this vulnerability is to cleverly manipulate Outlook’s calendar sharing function. The attacker sends a sophisticated email to Outlook users. The email, which contains two specific headers, tricks Outlook into thinking the message is a content share and redirects the victim’s session to a server controlled by the attacker.
Clicking ‘Open this calendar’ in the malicious email will trick the victim’s device into retrieving a configuration file from the attacker’s server, exposing the NTLM hash during the authentication process.
The second attack method is to exploit WPA (Windows Performance Analyzer), a tool commonly used by developers.
Baroness researchers discovered that a unique URI handler within WPA handles links that use NTLM v2 on the open Internet, potentially exposing NTLM hashes. An attacker could exploit this to send an email containing a link designed to redirect the victim to a malicious WPA payload hosted on a server controlled by the attacker.
Unlike WPA, which is mainly found on developer computers, the third and fourth attack methods use the popular Windows File Explorer. Because this tool exists on every Windows computer, the attack surface could be enormous.
The attack methods are summarized as follows.
An attacker sends a malicious link via email, social media, or other channels. When the target clicks on the link, the attacker can obtain the hash and then attempt to decrypt the user’s password.
Likewise, attackers can exploit File Explorer through malicious links. When the victim clicks on the link, the attacker can obtain the hash and gain unauthorized access.
“Once the hash is cracked and the password is exposed, an attacker can use it to log into the organization as a user. With this payload, explorer.exe attempts to query files with the extension .search-ms,” Baronis said. explained.
Given the severity of these vulnerabilities and the potential for unauthorized access to sensitive information, users are advised to immediately apply Microsoft’s latest security updates. He also emphasized the importance of increasing awareness of phishing attacks, especially those involving calendar sharing and malicious links.
★Dailysecu, Korea’s leading security media!★
Copyright © Daily Secu. Reproduction and redistribution prohibited.
