CVE-2024-21413 Splunk · SPL

Detect Microsoft Outlook RCE via Moniker Link (MonikerLink) in Splunk

CVE-2024-21413 is a critical (CVSS 9.8) remote code execution vulnerability in Microsoft Outlook caused by improper input validation. Dubbed 'MonikerLink', the flaw allows an attacker to craft a malicious hyperlink using the file:// URI scheme combined with an exclamation mark (!), bypassing Outlook's Protected View and MOTW (Mark of the Web) safeguards. When a user clicks the link, Outlook resolves it as a Component Object Model (COM) moniker, triggering NTLM authentication negotiation to an attacker-controlled server (leaking NTLMv2 hashes) and potentially executing arbitrary code. Affected products include Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, and Office LTSC 2021. CISA added this to the KEV catalog with a due date of February 27, 2025, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Execution

SPL Detection Query

Splunk (SPL)
spl 
index=endpoint sourcetype IN ("WinEventLog:Security", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "crowdstrike:events:sensor")
(
  (EventCode=3 OR event_simpleName="NetworkConnectIP4")
  AND (Image="*\\OUTLOOK.EXE" OR ParentImage="*\\OUTLOOK.EXE" OR process_name="OUTLOOK.EXE")
  AND dest_port IN (445, 139)
  AND NOT (dest_ip IN ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.1"))
)
| eval CVE="CVE-2024-21413"
| eval ThreatType="Outlook-MonikerLink-NTLM-Leak"
| stats count AS OutboundSMBAttempts,
        values(dest_ip) AS ExternalIPs,
        values(dest_port) AS Ports,
        dc(dest_ip) AS UniqueExternalIPs
  BY host, user, CVE, ThreatType, span=1h _time
| where OutboundSMBAttempts >= 1
| eval Severity="CRITICAL"
| table _time, host, user, ExternalIPs, Ports, OutboundSMBAttempts, UniqueExternalIPs, CVE, Severity, ThreatType
| sort - OutboundSMBAttempts
critical severity high confidence

Detects CVE-2024-21413 exploitation by identifying Outlook.exe initiating outbound SMB connections (port 445/139) to external, non-RFC1918 IP addresses. This pattern indicates a MonikerLink click that triggered NTLM authentication to an attacker-controlled server for credential harvesting.

Data Sources

Windows Security Event Log (Event ID 4648, 4624)Sysmon (Event ID 3 — network connection)CrowdStrike Falcon endpoint telemetry

Required Sourcetypes

WinEventLog:SecurityXmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Outlook accessing legitimate internal file servers via SMB (exclude RFC1918 ranges)
  • Email clients opening UNC path hyperlinks to sanctioned internal resources
Download portable Sigma rule (.yml)

Other platforms for CVE-2024-21413

Microsoft Sentinel (KQL) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate MonikerLink click triggering external SMB auth

    Expected signal: Sysmon Event ID 3 from OUTLOOK.EXE to attacker IP port 445; Windows Security Event ID 4648 with target server = attacker IP.

Last updated: 2026-04-22 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2024-21413 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1566.001Spearphishing Attachment

Related Techniques

T1566.001Spearphishing AttachmentT1187Forced AuthenticationT1550.002Pass the HashT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections