Detect CVE-2024-21413: Microsoft Outlook RCE via Moniker Link (MonikerLink) in CrowdStrike LogScale
CVE-2024-21413 is a critical remote code execution vulnerability in Microsoft Outlook caused by improper input validation of hyperlinks using the 'file://' moniker protocol combined with an exclamation mark suffix. When a victim previews or opens a crafted email, Outlook follows the malicious link without the usual Protected View warning, leaking NTLM credentials via an outbound SMB connection and potentially enabling remote code execution. CVSS 9.8. Actively exploited in the wild (CISA KEV).
MITRE ATT&CK
LogScale Detection Query
#event_simpleName IN (NetworkConnectIP4, ProcessRollup2)
| case {
#event_simpleName = "NetworkConnectIP4" AND ImageFileName = /(?i)\\OUTLOOK\.EXE$/ AND (RemotePort = 445 OR RemotePort = 139)
| eval detection_type = "OutlookSMBEgress", indicator = RemoteIP;
#event_simpleName = "ProcessRollup2" AND ParentBaseFileName =~ "OUTLOOK.EXE" AND FileName = /(cmd|powershell|wscript|mshta|rundll32|regsvr32)\.exe/i
| eval detection_type = "OutlookChildProcess", indicator = CommandLine;
}
| where isnotnull(detection_type)
| eval cve = "CVE-2024-21413"
| table timestamp, aid, ComputerName, UserName, ImageFileName, FileName, CommandLine, RemoteIP, RemotePort, detection_type, cve
| sort -timestamp
| limit 1000CrowdStrike Falcon query detecting Outlook-initiated SMB connections (NTLM credential theft) and Outlook spawning suspicious child processes (RCE) associated with CVE-2024-21413 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Outlook accessing internal SMB file shares through corporate network for legitimate file retrieval
- Scheduled tasks or scripts triggered through Outlook integrations that spawn command-line tools
- CrowdStrike sensor interactions with Outlook in monitored environments
- IT support tools that spawn CMD or PowerShell under Outlook's process tree for automation
Other platforms for CVE-2024-21413
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MonikerLink NTLM Credential Capture via Crafted Email
Expected signal: Windows Security Event ID 4776 on DC showing NTLM authentication from victim Outlook host to ATTACKER_IP. Sysmon Event ID 3 showing OUTLOOK.EXE network connection to ATTACKER_IP:445.
- Test 2Outlook Child Process Spawn via MonikerLink RCE Simulation
Expected signal: Sysmon Event ID 1 with ParentImage=OUTLOOK.EXE and Image=calc.exe (or substitute payload). DeviceProcessEvents in Defender ATP showing the process chain.
- Test 3MonikerLink Pattern Extraction and Email Header Analysis
Expected signal: Microsoft Defender for Office 365 EmailUrlInfo table entry with Url matching file://[IP]/[share]/[path]![suffix] pattern. Log ingestion into SIEM within 5-15 minutes.
- Test 4NTLM Hash Relay Attempt Post-Credential Capture
Expected signal: Windows Security Event ID 4624 (Type 3 network logon) on lab target using relayed credentials. Sysmon network events showing SMB connection from relay host to target. New process execution on target if relay succeeded.
References (4)
Unlock Pro Content
Get the full detection package for CVE-2024-21413 including response playbook, investigation guide, and atomic red team tests.