Russian APT28 Exploits Outlook Bug to Access Exchange

Russian APT28 Exploits Outlook Bug to Access Exchange

A prolific Russian state-sponsored APT group is actively exploiting a known vulnerability in Outlook to access email accounts in Exchange servers, Microsoft has warned.

APT28 (aka Forest Blizzard, Strontium, Fancy Bear) is known to target government, energy, transportation and non-governmental organizations in the US, Europe and the Middle East, Microsoft Threat Intelligence claimed on X (formerly Twitter).

“Microsoft Defender XDR detects activities affiliated with the exploitation of CVE-2023-23397, and additional mitigation info and guidance is detailed in our blog. Organizations should ensure systems are patched and kept up to date to mitigate this threat,” it added.

CVE-2023-23397 was first disclosed and patched as a zero-day bug in Microsoft’s March 2023 Patch Tuesday update round. It was described as a critical elevation of privilege vulnerability in Outlook with a CVSS score of 9.8.

Read more on APT28: Russian APT28 Group Changes Tack to Probe Email Servers

An attack exploiting the bug could be executed without any user interaction simply by sending a specially crafted email, which triggers automatically when retrieved by the email server. This could mean a user’s machine is exploited before they’re even able to view the message in the Preview Pane.

All supported versions of Microsoft Outlook for Windows are affected, and it’s believed that APT28 had been exploiting the vulnerability for almost a year before it was patched by Microsoft.

The Redmond giant thanked the Polish Cyber Command (DKWOC) for helping it identify and mitigate techniques used by the Russian state actor.

Microsoft also warned on X that APT28 may be actively exploiting other publicly known vulnerabilities including CVE-2023-38831 and CVE-2021-40444.

Image credit: FellowNeko /

Related Posts