CVE-2024-21413 Microsoft Sentinel · KQL

Detect Microsoft Outlook RCE via Moniker Link (MonikerLink) in Microsoft Sentinel

CVE-2024-21413 is a critical (CVSS 9.8) remote code execution vulnerability in Microsoft Outlook caused by improper input validation. Dubbed 'MonikerLink', the flaw allows an attacker to craft a malicious hyperlink using the file:// URI scheme combined with an exclamation mark (!), bypassing Outlook's Protected View and MOTW (Mark of the Web) safeguards. When a user clicks the link, Outlook resolves it as a Component Object Model (COM) moniker, triggering NTLM authentication negotiation to an attacker-controlled server (leaking NTLMv2 hashes) and potentially executing arbitrary code. Affected products include Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, and Office LTSC 2021. CISA added this to the KEV catalog with a due date of February 27, 2025, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Execution

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// CVE-2024-21413 — Microsoft Outlook MonikerLink RCE
// Detect potential exploitation: outbound SMB/NTLM auth from Outlook process,
// and file:// link clicks that trigger external auth challenges
let SuspiciousOutlookNetworkEvents = 
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName =~ "OUTLOOK.EXE"
| where RemotePort in (445, 139, 80, 443)
| where RemoteIPType == "Public"
| extend ThreatIndicator = "CVE-2024-21413-Outlook-External-SMB"
| project TimeGenerated, DeviceName, InitiatingProcessFileName,
    RemoteIP, RemotePort, RemoteUrl, InitiatingProcessCommandLine;
let SuspiciousNTLMAuth =
DeviceEvents
| where TimeGenerated > ago(24h)
| where ActionType == "NetworkConnectionInspected" or ActionType == "ConnectionInspected"
| where InitiatingProcessFileName =~ "OUTLOOK.EXE"
| where AdditionalFields has_any ("NTLM", "NTLMv2", "file://")
| extend ThreatIndicator = "CVE-2024-21413-NTLM-Leak";
SuspiciousOutlookNetworkEvents
| union SuspiciousNTLMAuth
| sort by TimeGenerated desc
critical severity high confidence

Detects potential CVE-2024-21413 exploitation by monitoring for Microsoft Outlook initiating outbound SMB connections (port 445) or NTLM authentication flows to external IPs — the hallmark of a MonikerLink click triggering covert NTLM credential capture. Also surfaces Outlook processes making unexpected external network connections.

Data Sources

Microsoft Defender for Endpoint (DeviceNetworkEvents)Microsoft Defender for Endpoint (DeviceEvents)Microsoft 365 Defender

Required Tables

DeviceNetworkEventsDeviceEvents

False Positives & Tuning

  • Outlook connecting to legitimate SharePoint or OneDrive file shares via SMB over the internet
  • Legitimate file:// hyperlinks in emails pointing to internal UNC paths (tune with known-good internal IP ranges)
  • Exchange Online hybrid connectors initiating SMB flows
Download portable Sigma rule (.yml)

Other platforms for CVE-2024-21413

Splunk (SPL) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate MonikerLink click triggering external SMB auth

    Expected signal: Sysmon Event ID 3 from OUTLOOK.EXE to attacker IP port 445; Windows Security Event ID 4648 with target server = attacker IP.

Last updated: 2026-04-22 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2024-21413 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1566.001Spearphishing Attachment

Related Techniques

T1566.001Spearphishing AttachmentT1187Forced AuthenticationT1550.002Pass the HashT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections