This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397.

As we continue to enhance the security of our cloud, we are going to address the problem of email sent to Exchange Online from unsupported and unpatched Exchange servers. There are many risks associated with running unsupported or unpatched software, but by far the biggest risk is security. Once a version of Exchange Server is no longer supported, it no longer receives security updates; thus, any vulnerabilities discovered after support has ended don’t get fixed. There are similar risks associated with running software that is not patched for known vulnerabilities. Once a security update is released, malicious actors will reverse-engineer the update to get a better understanding of how to exploit the vulnerability on unpatched servers.

Huntress is tracking CVE-2023-23397, a 0-day that impacts Microsoft Outlook and requires no user interaction to expose user credential hashes.

Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files.

Today, Microsoft’s Digital Threat Analysis Center (DTAC) is attributing a recent influence operation targeting the satirical French magazine Charlie Hebdo

A software development toolset, VSTO is available in Microsoft’s Visual Studio IDE. It enables Office Add-In’s (a type of Office application extension) to be developed in .NET and also allows for Office documents to be created that will deliver and execute these Add-In’s.

Cyble Research & Intelligence Labs analyzes new strategies deployed by Qakbot to infect users via Microsoft OneNote.

Microsoft's move last year to block macros by default in Office applications is forcing miscreants to find other tools with which to launch cyberattacks, including the software vendor's LNK files – the shortcuts Windows uses to point to other files.

In recent months, Microsoft has detected a wide range of social engineering campaigns using weaponized legitimate open-source software by an actor we track as ZINC. Microsoft Threat Intelligence Center (MSTIC) observed activity targeting employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia. Based on the observed tradecraft, infrastructure, tooling, and account affiliations, MSTIC attributes this campaign with high confidence to ZINC, a state-sponsored group based out of North Korea with objectives focused on espionage, data theft, financial gain, and network destruction.

Microsoft has revoked several Chardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents.

As we report more fully below, in the wake of Russian battlefield losses to Ukraine this fall, Moscow has intensified its multi-pronged hybrid technology approach to pressure the sources of Kyiv’s military and political support, domestic and foreign. This approach has included destructive missile and cyber strikes on civilian infrastructure in Ukraine, cyberattacks on Ukrainian and now foreign-based supply chains, and cyber-enabled influence operations[1]—intended to undermine US, EU, and NATO political support for Ukraine, and to shake the confidence and determination of Ukrainian citizens.

On February 23, 2022, the cybersecurity world entered a new age, the age of the hybrid war, as Russia launched both physical and digital attacks against Ukraine. This year’s Microsoft Digital Defense Report provides new detail on these attacks and on increasing cyber aggression coming from authoritarian leaders around the world.

Microsoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread.

A new Windows zero-day allows threat actors to use malicious JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks.

The Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign targeting organizations in the logistics and transportation industry in Ukraine and Poland utilizing a previously unidentified ransomware payload.

In recent months, Microsoft detected weaponization of legitimate open-source software by an actor the Microsoft Threat Intelligence Center (MSTIC) tracks as ZINC, targeting employees at media, defense and aerospace, and IT service provider organizations in the US, UK, India, and Russia.

New research shows how third-party apps could be exploited to infiltrate these sensitive workplace tools.

Microsoft this week released an out-of-band security update for its Endpoint Configuration Manager solution to patch a vulnerability that could be useful to malicious actors for moving around in a targeted organization’s network.

The vulnerability is tracked as CVE-2022-37972 and it has been described by Microsoft as a medium-severity spoofing issue. The tech giant has credited Brandon Colley of Trimarc Security for reporting the flaw.

Microsoft discovered an attack where attackers installed a malicious OAuth application in compromised tenants and used their Exchange Online service to launch spam runs.