CVE-2024-21413: Microsoft Outlook RCE via Moniker Link (MonikerLink)
CVE-2024-21413 is a critical remote code execution vulnerability in Microsoft Outlook caused by improper input validation of hyperlinks using the 'file://' moniker protocol combined with an exclamation mark suffix. When a victim previews or opens a crafted email, Outlook follows the malicious link without the usual Protected View warning, leaking NTLM credentials via an outbound SMB connection and potentially enabling remote code execution. CVSS 9.8. Actively exploited in the wild (CISA KEV).
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Microsoft
- Product
- Outlook, Microsoft 365 Apps, Office 2016, Office 2019, Office LTSC 2021
- Versions
- Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, Office LTSC 2021
Weakness (CWE)
Timeline
- Disclosed
- February 13, 2024
- Patched
- February 13, 2024
References & Proof of Concept
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
What is CVE-2024-21413 CVE-2024-21413: Microsoft Outlook RCE via Moniker Link (MonikerLink)?
CVE-2024-21413: Microsoft Outlook RCE via Moniker Link (MonikerLink) (CVE-2024-21413) maps to the Initial Access and Credential Access and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2024-21413: Microsoft Outlook RCE via Moniker Link (MonikerLink), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Sentinel EmailUrlInfo. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let moniker_pattern = @'(?i)file://[^\s]*![^\s]*';
union
(
EmailUrlInfo
| where Url matches regex moniker_pattern
| project TimeGenerated, NetworkMessageId, Url, UrlDomain, ReportId
| extend DetectionSource = 'EmailUrlInfo'
),
(
DeviceNetworkEvents
| where RemotePort == 445 or RemotePort == 139
| where InitiatingProcessFileName =~ 'OUTLOOK.EXE' or InitiatingProcessFileName =~ 'outlook.exe'
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, LocalIP
| extend DetectionSource = 'OutlookSMBEgress'
),
(
DeviceProcessEvents
| where InitiatingProcessFileName =~ 'OUTLOOK.EXE'
| where FileName in~ ('cmd.exe','powershell.exe','wscript.exe','mshta.exe','rundll32.exe','regsvr32.exe')
| project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName
| extend DetectionSource = 'OutlookChildProcess'
)
| where TimeGenerated > ago(7d)
| sort by TimeGenerated descDetects CVE-2024-21413 MonikerLink exploitation patterns: malicious file:// moniker URLs in email, Outlook initiating outbound SMB connections (NTLM credential theft), and Outlook spawning suspicious child processes indicative of RCE.
Data Sources
Required Tables
False Positives
- Legitimate internal file:// links in emails referencing corporate UNC shares (common in some enterprise environments)
- Security scanning tools that follow URLs in emails for analysis may trigger the EmailUrlInfo rule
- Outlook accessing internal SMB shares for legitimate business file sharing workflows
- Software deployment or IT tooling that launches processes via Outlook integrations
Sigma rule & cross-platform mapping
The detection logic for CVE-2024-21413: Microsoft Outlook RCE via Moniker Link (MonikerLink) (CVE-2024-21413) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2024-21413
References (4)
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MonikerLink NTLM Credential Capture via Crafted Email
Expected signal: Windows Security Event ID 4776 on DC showing NTLM authentication from victim Outlook host to ATTACKER_IP. Sysmon Event ID 3 showing OUTLOOK.EXE network connection to ATTACKER_IP:445.
- Test 2Outlook Child Process Spawn via MonikerLink RCE Simulation
Expected signal: Sysmon Event ID 1 with ParentImage=OUTLOOK.EXE and Image=calc.exe (or substitute payload). DeviceProcessEvents in Defender ATP showing the process chain.
- Test 3MonikerLink Pattern Extraction and Email Header Analysis
Expected signal: Microsoft Defender for Office 365 EmailUrlInfo table entry with Url matching file://[IP]/[share]/[path]![suffix] pattern. Log ingestion into SIEM within 5-15 minutes.
- Test 4NTLM Hash Relay Attempt Post-Credential Capture
Expected signal: Windows Security Event ID 4624 (Type 3 network logon) on lab target using relayed credentials. Sysmon network events showing SMB connection from relay host to target. New process execution on target if relay succeeded.
Unlock Pro Content
Get the full detection package for CVE-2024-21413 including response playbook, investigation guide, and atomic red team tests.