Detect CVE-2024-21413: Microsoft Outlook RCE via Moniker Link (MonikerLink) in Sumo Logic CSE
CVE-2024-21413 is a critical remote code execution vulnerability in Microsoft Outlook caused by improper input validation of hyperlinks using the 'file://' moniker protocol combined with an exclamation mark suffix. When a victim previews or opens a crafted email, Outlook follows the malicious link without the usual Protected View warning, leaking NTLM credentials via an outbound SMB connection and potentially enabling remote code execution. CVSS 9.8. Actively exploited in the wild (CISA KEV).
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=windows* OR _sourceCategory=defender* OR _sourceCategory=o365*
| parse regex field=_raw "(?i)(?P<parent_process>OUTLOOK\.EXE)" nodrop
| parse regex field=_raw "(?i)file://[^\s]*!(?P<moniker_path>[^\s]+)" nodrop
| parse regex field=_raw "DestinationPort.*?(?P<dest_port>445|139)" nodrop
| parse regex field=_raw "(?i)Image.*?(?P<child_proc>(cmd|powershell|wscript|mshta|rundll32|regsvr32)\.exe)" nodrop
| where !isNull(parent_process) or !isNull(moniker_path)
| if(!isNull(moniker_path), "MonikerURLDetected",
if(!isNull(dest_port), "OutlookSMBEgress",
if(!isNull(child_proc), "OutlookChildProcess", "Unknown"))) as detection_type
| count by _sourceHost, detection_type, moniker_path, dest_port, child_proc
| sort by _count descSumo Logic query detecting MonikerLink exploitation patterns including file:// moniker URLs, Outlook SMB egress, and Outlook spawning suspicious child processes.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise intranet links using file:// protocol in legitimate internal emails
- IT scripts triggered by Outlook rules accessing network shares
- Third-party Outlook add-ins that connect to SMB resources for file sync
- Collaborative workflows where Outlook integrations spawn helper applications
Other platforms for CVE-2024-21413
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MonikerLink NTLM Credential Capture via Crafted Email
Expected signal: Windows Security Event ID 4776 on DC showing NTLM authentication from victim Outlook host to ATTACKER_IP. Sysmon Event ID 3 showing OUTLOOK.EXE network connection to ATTACKER_IP:445.
- Test 2Outlook Child Process Spawn via MonikerLink RCE Simulation
Expected signal: Sysmon Event ID 1 with ParentImage=OUTLOOK.EXE and Image=calc.exe (or substitute payload). DeviceProcessEvents in Defender ATP showing the process chain.
- Test 3MonikerLink Pattern Extraction and Email Header Analysis
Expected signal: Microsoft Defender for Office 365 EmailUrlInfo table entry with Url matching file://[IP]/[share]/[path]![suffix] pattern. Log ingestion into SIEM within 5-15 minutes.
- Test 4NTLM Hash Relay Attempt Post-Credential Capture
Expected signal: Windows Security Event ID 4624 (Type 3 network logon) on lab target using relayed credentials. Sysmon network events showing SMB connection from relay host to target. New process execution on target if relay succeeded.
References (4)
Unlock Pro Content
Get the full detection package for CVE-2024-21413 including response playbook, investigation guide, and atomic red team tests.