{ "id": "4e32c9ff-1ab4-442f-b8cf-fc4ec8e49990", "created_at": "2026-04-06T03:35:48.085074Z", "updated_at": "2026-04-10T03:37:50.046608Z", "deleted_at": null, "sha1_hash": "27adf9ede1deea801f5cef3289d46e042fd23313", "title": "Russian hackers exploiting Outlook bug to hijack Exchange accounts", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2934083, "plain_text": "Russian hackers exploiting Outlook bug to hijack Exchange accounts\r\nBy Bill Toulas\r\nPublished: 2023-12-04 · Archived: 2026-04-06 02:59:20 UTC\r\nMicrosoft's Threat Intelligence team issued a warning earlier today about the Russian state-sponsored actor APT28 (aka\r\n\"Fancybear\" or \"Strontium\") actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts\r\nand steal sensitive information.\r\nThe targeted entities include government, energy, transportation, and other key organizations in the United States, Europe,\r\nand the Middle East.\r\nThe tech giant also highlighted the exploitation of other vulnerabilities with publicly available exploits in the same attacks,\r\nincluding CVE-2023-38831 in WinRAR and CVE-2021-40444 in Windows MSHTML.\r\nhttps://www.bleepingcomputer.com/news/microsoft/russian-hackers-exploiting-outlook-bug-to-hijack-exchange-accounts/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/microsoft/russian-hackers-exploiting-outlook-bug-to-hijack-exchange-accounts/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nOutlook flaw exploitation background\r\nCVE-2023-23397 is a critical elevation of privilege (EoP) vulnerability in Outlook on Windows, which Microsoft fixed as a\r\nzero-day on the March 2023 Path Tuesday.\r\nThe disclosure of the flaw came with the revelation that APT28 had been exploiting it since April 2022 via specially crafted\r\nOutlook notes designed to steal NTLM hashes, forcing the target devices to authenticate to attacker-controlled SMB shares\r\nwithout requiring user interaction.\r\nBy elevating their privileges on the system, which was proven uncomplicated, APT28 performed lateral movement in the\r\nvictim's environment and changed Outlook mailbox permissions to perform targeted email theft.\r\nDespite the availability of security updates and mitigation recommendations, the attack surface remained significant, and\r\na bypass of the fix (CVE-2023-29324) that followed in May worsened the situation.\r\nRecorded Future warned in June that APT28 likely leveraged the Outlook flaw against key Ukrainian organizations. In\r\nOctober, the French cybersecurity agency (ANSSI) revealed that the Russian hackers had used the zero-click attack against\r\ngovernment entities, businesses, universities, research institutes, and think tanks in France.\r\nAttacks still ongoing\r\nMicrosoft's latest warning highlights that the GRU hackers still leverage CVE-2023-38831 in attacks, so there are still\r\nsystems out there that remain vulnerable to the critical EoP flaw.\r\nThe tech firm has also noted the work of the Polish Cyber Command Center (DKWOC) in helping detect and stop the\r\nattacks. DKWOC also published a post describing APT28 activity that leverages CVE-2023-38831.\r\nhttps://www.bleepingcomputer.com/news/microsoft/russian-hackers-exploiting-outlook-bug-to-hijack-exchange-accounts/\r\nPage 3 of 4\n\nThe recommended action to take right now, listed by priority, is the following:\r\nApply the available security updates for CVE-2023-23397 and its bypass CVE-2023-29324.\r\nUse this script by Microsoft to check if any Exchange users have been targeted.\r\nReset passwords of compromised users and enable MFA (multi-factor authentication) for all users.\r\nLimit SMB traffic by blocking connections to ports 135 and 445 from all inbound IP addresses\r\nDisable NTLM on your environment.\r\nGiven that APT28 is a highly resourceful and adaptive threat group, the most effective defense strategy is to reduce the\r\nattack surface across all interfaces and ensure all software products are regularly updated with the latest security patches.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/microsoft/russian-hackers-exploiting-outlook-bug-to-hijack-exchange-accounts/\r\nhttps://www.bleepingcomputer.com/news/microsoft/russian-hackers-exploiting-outlook-bug-to-hijack-exchange-accounts/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/microsoft/russian-hackers-exploiting-outlook-bug-to-hijack-exchange-accounts/" ], "report_names": [ "russian-hackers-exploiting-outlook-bug-to-hijack-exchange-accounts" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446548, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/27adf9ede1deea801f5cef3289d46e042fd23313.pdf", "text": "https://archive.orkl.eu/27adf9ede1deea801f5cef3289d46e042fd23313.txt", "img": "https://archive.orkl.eu/27adf9ede1deea801f5cef3289d46e042fd23313.jpg" } }