Rule History

SID: 2044685 • Source: et/open

Versions (5)

Version DetailsCurrent

Rev: 3 • Mar 16, 2023, 12:00 PM

Message:

ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M6 (CVE-2023-23397)

Rule:

alert smtp $SMTP_SERVERS any -> any any (msg:"ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M6 (CVE-2023-23397)"; content:"SQBQAE0ALgBUAGEAcwBrA"; fast_pattern; content:"|0d 0a 0d 0a|"; base64_decode:offset 0,relative; base64_data; content:"|78 9f 3e 22|"; startswith; content:"|00|I|00|P|00|M|00|.|00|T|00|a|00|s|00|k"; content:"|5c|"; pcre:"/^\x00?\\\x00?[\w\.\-\x00]+\\/R"; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397; reference:cve,2023-23397; classtype:attempted-admin; sid:2044685; rev:3; metadata:created_at 2023_03_16, cve CVE_2023_23397, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_27, reviewed_at 2023_10_11, former_sid 2853731;)

Created:

Mar 16, 2023, 12:00 PM

Updated:

Apr 27, 2023, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Aug 25, 2025, 9:35 PM

Filename:

rules/emerging-exploit.rules