Bright Nexus

Published on June 12, 2026

APT28 Weaponizes Outlook Zero-Click Flaw to Steal Net-NTLMv2 Hashes From NATO Targets

Severity

High


Detail

Threat intelligence researchers have reported ongoing cyber espionage activity by APT28, a Russian state-sponsored threat actor also known as Fancy Bear and Forest Blizzard. The group has been observed exploiting a Microsoft Outlook zero-click vulnerability to steal authentication credentials from organizations associated with NATO, defense sectors, and critical infrastructure.

The campaign leverages CVE-2023-23397, a Microsoft Outlook elevation-of-privilege vulnerability that allows attackers to trigger authentication requests without requiring any user interaction. Unlike traditional phishing attacks that depend on victims opening attachments or clicking malicious links, the vulnerability is exploited automatically when Outlook processes specially crafted reminder messages.

How?

The exploitation process begins when the attackers deliver a modified email message containing a malicious reminder property to a targeted mailbox. When the victim’s Outlook client processes this incoming reminder, it automatically initiates an outbound connection to an attacker-controlled Server Message Block (SMB) server.

During this automated handshake, the victim’s system transmits its Net-NTLMv2 authentication hash to the remote server. The threat actors capture these encrypted hashes and reuse them to conduct NTLM relay attacks against Microsoft Exchange and other interconnected internal network services. Ultimately, this allows the attackers to gain unauthorized access to sensitive communications, email accounts, and internal company resources without ever needing to deploy malware on the victim’s machine.

Researchers have also observed APT28 utilizing compromised Small Office/Home Office (SOHO) network devices to support these operations. The threat actors reportedly leverage large botnets consisting of compromised edge routers to relay malicious traffic and host credential collection infrastructure. By routing attacks through legitimate consumer internet connections, attackers can obscure their activity, evade reputation-based security controls, and complicate attribution efforts. These compromised devices are used to collect authentication data, facilitate relay attacks, and conceal command-and-control infrastructure from defenders.

The campaign demonstrates a shift toward stealthier attack techniques that rely on credential theft, legitimate authentication mechanisms, and distributed infrastructure rather than traditional malware deployment. Organizations that continue to use vulnerable Outlook versions or rely heavily on NTLM authentication may face an increased risk of unauthorized access and espionage activities.

Recommendation

Organizations should implement the following measures to reduce the risk associated with this threat:

  • Apply Microsoft security updates that address the vulnerabilities and ensure all Outlook installations are fully patched.
  • Conduct scans for indicators of compromise related to CVE-2023-23397 and review historical Outlook messages for malicious reminder properties.
  • Disable or restrict NTLM authentication where possible and migrate to stronger authentication protocols such as Kerberos or modern identity solutions.
  • Enable multi-factor authentication (MFA) across all user and administrative accounts.
  • Monitor authentication logs for unusual NTLM authentication attempts, relay activity, and suspicious mailbox access.
  • Review Microsoft Exchange and email server logs for unauthorized access attempts and anomalous mailbox activity.
  • Restrict outbound SMB traffic to untrusted external networks to prevent credential leakage.
  • Implement network segmentation and access controls to limit the impact of compromised credentials.

Source

https://cyberpress.org/apt28-steals-net-ntlmv2-hashes-via-outlook-flaw/