Hackers exploit RCE vulnerability in Microsoft Outlook

The warning refers to the CVE-2024-21413 Microsoft Outlook Improper Input Validation Vulnerability discovered last year by Check Point Research experts. The bug affects a number of Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019.

The security hole results in remote code execution when an e-mail with malicious links is opened using a vulnerable version of Microsoft Outlook. Successful exploitation of this vulnerability enables an attacker to bypass the Office Protected View and open malicious Office files in edit mode.

Such attacks can result in the leaking of local NTLM credentials and remote code execution (RCE).

Importantly, the Preview Pane can also be used as an attack vector since CVE-2024-21413 can be exploited when malicious documents are previewed.

The vulnerability, dubbed Moniker Link by Check Point Research analysts, makes it possible to bypass Outlook protection against malicious links embedded in emails by using the file:// construct. All the attacker has to do is add a ! character to the URL that points to an attacker-controlled server.

The exclamation mark is added immediately after the document extension along with arbitrary text (Check Point Research used the word “something” in its example):

Such a link bypasses Outlook restrictions, and Outlook gains access to the remote resource \\\10.10.111.111\test\test.rtf when the link is clicked. Importantly, no warnings or errors are displayed.

According to the experts, the vulnerability is related to the MkParseDisplayName API and can affect other software that uses it.

As CISA reports, the security hole is actively exploited and has been added to the Known Exploited Vulnerabilities (KEV) catalog.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” – CISA.