Detect Windows OLE Remote Code Execution via Malicious RTF Document in Microsoft Sentinel
CVE-2025-21298 is a critical (CVSS 9.8) use-after-free (CWE-416) remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) subsystem. An attacker can exploit this vulnerability by sending a victim a specially crafted email containing a malicious RTF document. Simply previewing the email in Microsoft Outlook's Preview Pane is sufficient to trigger code execution — no user double-click required. The vulnerability affects all supported Windows versions (Windows 10, 11, Server 2008–2025) and is particularly dangerous in SMB environments where Outlook is the standard email client and Preview Pane is enabled by default. As a critical no-interaction RCE via a ubiquitous file format, this vulnerability is a high-priority patching target.
MITRE ATT&CK
- Tactic
- Initial Access Execution
KQL Detection Query
// CVE-2025-21298 — Windows OLE RCE via RTF Email Preview
// Detect suspicious process spawning from Outlook Preview Pane / OLE handling
// Key signals: OUTLOOK.EXE spawning unexpected child processes, RTF file associations
let OutlookChildProcesses =
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName =~ "OUTLOOK.EXE"
| where FileName !in~ (
"splwow64.exe", "winword.exe", "excel.exe", "powerpnt.exe",
"Teams.exe", "OneDrive.exe", "SearchProtocolHost.exe",
"msedge.exe", "MSOSYNC.EXE", "lync.exe"
)
| where FileName !startswith "mso"
| extend ThreatIndicator = "CVE-2025-21298-Outlook-Unexpected-Child";
let OLEComponentSpawn =
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ("svchost.exe", "dllhost.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe")
| where InitiatingProcessCommandLine has_any ("ole", "com", "dcom", "-Embedding")
| extend ThreatIndicator = "CVE-2025-21298-OLE-Suspicious-Child";
let SuspiciousRTFFiles =
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FileName endswith ".rtf"
| where ActionType in ("FileCreated", "FileRenamed")
| where FolderPath has_any ("Temp", "Downloads", "AppData\\Local\\Microsoft\\Windows\\INetCache")
| extend ThreatIndicator = "CVE-2025-21298-RTF-Drop";
OutlookChildProcesses
| union OLEComponentSpawn
| union SuspiciousRTFFiles
| sort by TimeGenerated descDetects CVE-2025-21298 exploitation via three complementary signals: (1) unexpected child processes spawned by OUTLOOK.EXE (Preview Pane trigger), (2) OLE/COM host processes (dllhost.exe) spawning scripting engines, and (3) RTF file creation in user temp/cache paths typical of email attachment extraction. Correlate all three on the same host for high confidence.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Office automation spawning dllhost.exe via COM/OLE (tune with known-good COM object GUIDs)
- IT scripts using Outlook COM automation (document which service accounts perform this)
- Print-to-PDF workflows spawning splwow64.exe from Outlook (already excluded in query)
Other platforms for CVE-2025-21298
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate OLE object spawn from Outlook Preview Pane
Expected signal: Sysmon Event ID 1 — unexpected process (cmd.exe or payload) with ParentImage=OUTLOOK.EXE triggered by email preview.
Unlock Pro Content
Get the full detection package for CVE-2025-21298 including response playbook, investigation guide, and atomic red team tests.