CVE-2025-21298

Windows OLE Remote Code Execution via Malicious RTF Document

Initial Access Execution

CVE-2025-21298 is a critical (CVSS 9.8) use-after-free (CWE-416) remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) subsystem. An attacker can exploit this vulnerability by sending a victim a specially crafted email containing a malicious RTF document. Simply previewing the email in Microsoft Outlook's Preview Pane is sufficient to trigger code execution — no user double-click required. The vulnerability affects all supported Windows versions (Windows 10, 11, Server 2008–2025) and is particularly dangerous in SMB environments where Outlook is the standard email client and Preview Pane is enabled by default. As a critical no-interaction RCE via a ubiquitous file format, this vulnerability is a high-priority patching target.

Microsoft Sentinel / Defender
kusto 
// CVE-2025-21298 — Windows OLE RCE via RTF Email Preview
// Detect suspicious process spawning from Outlook Preview Pane / OLE handling
// Key signals: OUTLOOK.EXE spawning unexpected child processes, RTF file associations
let OutlookChildProcesses =
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName =~ "OUTLOOK.EXE"
| where FileName !in~ (
    "splwow64.exe", "winword.exe", "excel.exe", "powerpnt.exe",
    "Teams.exe", "OneDrive.exe", "SearchProtocolHost.exe",
    "msedge.exe", "MSOSYNC.EXE", "lync.exe"
  )
| where FileName !startswith "mso"
| extend ThreatIndicator = "CVE-2025-21298-Outlook-Unexpected-Child";
let OLEComponentSpawn =
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ("svchost.exe", "dllhost.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe")
| where InitiatingProcessCommandLine has_any ("ole", "com", "dcom", "-Embedding")
| extend ThreatIndicator = "CVE-2025-21298-OLE-Suspicious-Child";
let SuspiciousRTFFiles =
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FileName endswith ".rtf"
| where ActionType in ("FileCreated", "FileRenamed")
| where FolderPath has_any ("Temp", "Downloads", "AppData\\Local\\Microsoft\\Windows\\INetCache")
| extend ThreatIndicator = "CVE-2025-21298-RTF-Drop";
OutlookChildProcesses
| union OLEComponentSpawn
| union SuspiciousRTFFiles
| sort by TimeGenerated desc
critical severity high confidence

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents) Microsoft Defender for Endpoint (DeviceFileEvents) Microsoft 365 Defender

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

  • Legitimate Office automation spawning dllhost.exe via COM/OLE (tune with known-good COM object GUIDs)
  • IT scripts using Outlook COM automation (document which service accounts perform this)
  • Print-to-PDF workflows spawning splwow64.exe from Outlook (already excluded in query)
Last updated: 2026-04-22 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-21298 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1566.001Spearphishing Attachment

Same Tactic: Initial Access

Popular Detections