CVE-2024-21413

Microsoft Outlook RCE via Moniker Link (MonikerLink)

CVE-2024-21413 is a critical (CVSS 9.8) remote code execution vulnerability in Microsoft Outlook caused by improper input validation. Dubbed 'MonikerLink', the flaw allows an attacker to craft a malicious hyperlink using the file:// URI scheme combined with an exclamation mark (!), bypassing Outlook's Protected View and MOTW (Mark of the Web) safeguards. When a user clicks the link, Outlook resolves it as a Component Object Model (COM) moniker, triggering NTLM authentication negotiation to an attacker-controlled server (leaking NTLMv2 hashes) and potentially executing arbitrary code. Affected products include Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, and Office LTSC 2021. CISA added this to the KEV catalog with a due date of February 27, 2025, indicating active exploitation in the wild.

Microsoft Sentinel / Defender

kusto

// CVE-2024-21413 — Microsoft Outlook MonikerLink RCE
// Detect potential exploitation: outbound SMB/NTLM auth from Outlook process,
// and file:// link clicks that trigger external auth challenges
let SuspiciousOutlookNetworkEvents = 
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName =~ "OUTLOOK.EXE"
| where RemotePort in (445, 139, 80, 443)
| where RemoteIPType == "Public"
| extend ThreatIndicator = "CVE-2024-21413-Outlook-External-SMB"
| project TimeGenerated, DeviceName, InitiatingProcessFileName,
    RemoteIP, RemotePort, RemoteUrl, InitiatingProcessCommandLine;
let SuspiciousNTLMAuth =
DeviceEvents
| where TimeGenerated > ago(24h)
| where ActionType == "NetworkConnectionInspected" or ActionType == "ConnectionInspected"
| where InitiatingProcessFileName =~ "OUTLOOK.EXE"
| where AdditionalFields has_any ("NTLM", "NTLMv2", "file://")
| extend ThreatIndicator = "CVE-2024-21413-NTLM-Leak";
SuspiciousOutlookNetworkEvents
| union SuspiciousNTLMAuth
| sort by TimeGenerated desc

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint (DeviceNetworkEvents) Microsoft Defender for Endpoint (DeviceEvents) Microsoft 365 Defender

Required Tables

DeviceNetworkEvents DeviceEvents

False Positives

Outlook connecting to legitimate SharePoint or OneDrive file shares via SMB over the internet
Legitimate file:// hyperlinks in emails pointing to internal UNC paths (tune with known-good internal IP ranges)
Exchange Online hybrid connectors initiating SMB flows

Last updated: 2026-04-22 Research depth: standard

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2024-21413 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Microsoft Outlook RCE via Moniker Link (MonikerLink)

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Initial Access

Popular Detections