Microsoft Outlook zero-day has been live for nearly a year – Mandiant

As has been reported worldwide recently, Microsoft has disclosed a zero-day (CVE-2023-23397) on email and comms platform Outlook.

Mandiant research has linked the zero-day to Russian threat actor APT28.

CVE-2023-23397 is a vulnerability in the Outlook client that requires no user interaction and for which proof of concept exploits are now widely available. Mandiant Threat Intelligence considers this a high-risk vulnerability due to the possibility of privilege escalation with no user interaction or privileges required for exploitation. Following exploitation an attacker could authenticate to multiple services and move laterally. Exploitation of the zero-day is trivial and it will likely be leveraged imminently by actors for espionage purposes or financial gain.

Mandiant believes the zero-day has been used for almost a year to target organisations and critical infrastructure. These targets could facilitate strategic intelligence collection as well as disruptive and destructive attacks inside and outside of Ukraine.


Mandiant has created UNC4697 to track early exploitation of the zero-day. The vulnerability has been in use since April 2022 against targets across government, logistics, oil/gas, defence, and transportation industries located in Poland, Ukraine, Romania, and Turkey.


Mandiant anticipates broad, rapid adoption of the CVE-2023-23397 exploit by multiple nation-state and financially-motivated actors, including both criminal and cyber espionage actors. In the short-term, these actors will race against patching efforts to gain footholds in unpatched systems.


Proof-of-concepts are already widely available for the zero-day which requires no user interaction.

In addition to the collection of intelligence for strategic purposes, Mandiant believes this zero-day was used to target critical infrastructure inside and outside of Ukraine in preparation for potential disruptive or destructive cyberattacks.

Note that this vulnerability does not affect cloud-based email solutions.


John Hultquist, Head of Mandiant Intelligence Analysis – Google Cloud, said of the zero-day:


“This is more evidence that aggressive, disruptive and destructive cyberattacks may not remain constrained to Ukraine and a reminder that we cannot see everything. While preparation for attacks do not necessarily indicate they are imminent, the geopolitical situation should give us pause.”


“This is also a reminder that we cannot see everything going on with this conflict. These are spies and they have a long track record of successfully evading our notice.”


“This will be a propagation event. This is an excellent tool for nation-state actors and criminals alike who will be on a bonanza in the short term. The race has already begun.”


Adversary Operations has created UNC4697 to track exploitation of the zero-day which has been publicly attributed to APT28.


APT28 is a Russian military intelligence (GRU) actor that regularly carries out cyber espionage and information operations within and outside of Ukraine. APT28 frequently collaborates with the GRU actor Sandworm, who is responsible for disruptive and destructive attacks.