Proof of Concept exploits for this Outlook flaw are now loose in the wild, so patch ASAP and check to see if you’ve been affected.
Microsoft recently patched a zero-click privilege escalation vulnerability within Microsoft Outlook, tracked as CVE-2023-2339 and rated a 9.8/10 on the Common Vulnerability Scoring System (CVSS). Left unchecked, this vulnerability could allow a threat actor to capture sensitive information from any user account that receives the malicious email and impersonate that user.
Announced earlier this week, a threat actor can leverage a feature of Microsoft Outlook that allows a custom sound file to be loaded as a notification for a message. However, this file does not have to be local to the machine and can be on a remote file share accesible via a Universal Naming Convention path.
