title: Microsoft Outlook RCE via Moniker Link (MonikerLink) (CVE-2024-21413)
id: df00tech-cve-2024-21413
status: experimental
description: "CVE-2024-21413 is a critical (CVSS 9.8) remote code execution vulnerability in Microsoft Outlook caused by improper input validation. Dubbed 'MonikerLink', the flaw allows an attacker to craft a malicious hyperlink using the file:// URI scheme combined with an exclamation mark (!), bypassing Outlook's Protected View and MOTW (Mark of the Web) safeguards. When a user clicks the link, Outlook resolves it as a Component Object Model (COM) moniker, triggering NTLM authentication negotiation to an attacker-controlled server (leaking NTLMv2 hashes) and potentially executing arbitrary code. Affected products include Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, and Office LTSC 2021. CISA added this to the KEV catalog with a due date of February 27, 2025, indicating active exploitation in the wild."
references:
  - https://attack.mitre.org/techniques/CVE-2024-21413/
  - https://df00tech.com/detections/CVE-2024-21413
author: df00tech
date: 2026/04/22
tags:
  - attack.cve-2024-21413
  - cve.2024-21413
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Outlook connecting to legitimate SharePoint or OneDrive file shares via SMB over the internet
  - "Legitimate file:// hyperlinks in emails pointing to internal UNC paths (tune with known-good internal IP ranges)"
  - Exchange Online hybrid connectors initiating SMB flows
level: critical