CVE-2024-21413 Elastic Security · Elastic

Detect CVE-2024-21413: Microsoft Outlook RCE via Moniker Link (MonikerLink) in Elastic Security

CVE-2024-21413 is a critical remote code execution vulnerability in Microsoft Outlook caused by improper input validation of hyperlinks using the 'file://' moniker protocol combined with an exclamation mark suffix. When a victim previews or opens a crafted email, Outlook follows the malicious link without the usual Protected View warning, leaking NTLM credentials via an outbound SMB connection and potentially enabling remote code execution. CVSS 9.8. Actively exploited in the wild (CISA KEV).

MITRE ATT&CK

Tactic
Initial Access Credential Access Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [network where process.name : "OUTLOOK.EXE" and destination.port in (445, 139) and network.direction : "egress"]
  [process where process.parent.name : "OUTLOOK.EXE" and process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")]

/* Standalone: moniker URL in email events */
/* any where event.dataset == "o365.audit" and message : "file://*!*" */
critical severity medium confidence

EQL sequence rule correlating Outlook SMB egress (NTLM theft) with a subsequent suspicious child process spawn, indicating full CVE-2024-21413 RCE exploitation chain.

Data Sources

Elastic Endpoint SecurityMicrosoft 365 via Filebeat o365 module

Required Tables

logs-endpoint.events.network-*logs-endpoint.events.process-*

False Positives & Tuning

  • Outlook accessing legitimate SMB shares followed by automation scripts triggered by email rules
  • Enterprise document management integrations that open processes via Outlook
  • Security tools co-installed with Office that spawn child processes from Outlook context
  • Scripted IT workflows that use Outlook as a trigger for process execution

Other platforms for CVE-2024-21413

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MonikerLink NTLM Credential Capture via Crafted Email

    Expected signal: Windows Security Event ID 4776 on DC showing NTLM authentication from victim Outlook host to ATTACKER_IP. Sysmon Event ID 3 showing OUTLOOK.EXE network connection to ATTACKER_IP:445.

  2. Test 2Outlook Child Process Spawn via MonikerLink RCE Simulation

    Expected signal: Sysmon Event ID 1 with ParentImage=OUTLOOK.EXE and Image=calc.exe (or substitute payload). DeviceProcessEvents in Defender ATP showing the process chain.

  3. Test 3MonikerLink Pattern Extraction and Email Header Analysis

    Expected signal: Microsoft Defender for Office 365 EmailUrlInfo table entry with Url matching file://[IP]/[share]/[path]![suffix] pattern. Log ingestion into SIEM within 5-15 minutes.

  4. Test 4NTLM Hash Relay Attempt Post-Credential Capture

    Expected signal: Windows Security Event ID 4624 (Type 3 network logon) on lab target using relayed credentials. Sysmon network events showing SMB connection from relay host to target. New process execution on target if relay succeeded.

Last updated: 2026-06-20 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2024-21413 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0006Credential AccessTA0008Lateral Movement

Related Techniques

T1566.001Spearphishing AttachmentT1187Forced AuthenticationT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1204.002Malicious File

Same Tactic: Initial Access

Popular Detections