CVE-2024-21413

What is Microsoft Outlook?

Microsoft Outlook is the dominant enterprise email client, used by hundreds of millions of people worldwide as part of Microsoft 365 and Office suites. Outlook processes emails from arbitrary senders, rendering rich HTML content and embedded links — making it a persistent phishing and exploitation target. Email-borne vulnerabilities that execute with minimal user interaction (preview pane rendering, automatic loading of remote content) are particularly dangerous because they can exploit recipients at enterprise scale. Outlook's integration with Windows authentication mechanisms (NTLM) creates a recurring vulnerability class where malicious emails can trigger automatic credential disclosure.

Overview

CVE-2024-21413 is an improper input validation vulnerability (CWE-20) in Microsoft Outlook, dubbed "MonikerLink" by Check Point Research who discovered it. The vulnerability abuses a specific URL format — a file-path hyperlink with #! appended — to bypass Outlook's Protected View security feature. Normally, Office Protected View prevents documents opened from internet sources from executing macros or accessing network resources. The MonikerLink trick uses a file:// path (or UNC path) with an exclamation mark fragment that causes Outlook to process the link as a "moniker" (a Windows COM object path) and attempt to load the referenced resource, bypassing Protected View. This can trigger NTLM authentication to an attacker-controlled server — leaking the victim's NTLM hash — and in some configurations can lead to code execution. CISA added it to the KEV catalog in February 2025, nearly a year after the February 2024 patch.

Affected Versions

Technical Details

The MonikerLink mechanism: Windows supports "monikers" — named object bindings in the COM (Component Object Model) system. A moniker like file://server/share/document.rtf!SomeFragment tells Windows to load the named resource via the COM binding mechanism. The ! (exclamation mark) in the URL is critical: it causes Outlook to interpret the link as a moniker reference rather than a plain file path.

Bypassing Protected View: Outlook's Protected View examines URLs before loading them and applies protection based on zone classification. The moniker path format bypasses the protected view classification logic — the attachment or link appears as a harmless path but causes Outlook to initiate a UNC/SMB connection to an attacker-controlled server.

NTLM credential leakage: When Windows attempts to authenticate to an SMB server (as part of resolving the moniker), it automatically sends the user's NTLM authentication hash. This is a standard Windows behavior — any UNC path access attempts NTLM auth. The attacker's server captures the NTLMv2 hash, which can be:

• Cracked offline to recover the plaintext password (feasible for weak passwords)
• Relayed to other services authenticating with NTLM (NTLM relay attacks)

Code execution path: In some configurations, particularly with specific Office document types, the moniker can point to malicious content that executes code — not just leaks credentials.

Phishing simplicity: An attacker embeds the MonikerLink URL in an email body or HTML email. The victim does not need to click any attachment — simply previewing the email in Outlook's reading pane can trigger the connection.

Discovery

Check Point Research (Haifei Li), published with the "MonikerLink" name. Check Point's research covered the broader implications of moniker-based attacks against Microsoft Office.

Exploitation Context

CISA added CVE-2024-21413 to the KEV catalog in February 2025 — nearly a year after the February 2024 patch. The delayed KEV listing indicates exploitation was ongoing against organizations running unpatched Office versions throughout 2024. The NTLM hash theft capability makes this attractive for targeted credential-harvesting campaigns, particularly against high-value organizations where the victim's domain credentials would be valuable.

Remediation

1. Apply Microsoft February 2024 security updates for all affected Office/Outlook versions. The CISA deadline was February 27, 2025.
2. Enable Windows Defender Credential Guard to protect NTLM credentials from relay attacks — this doesn't prevent the hash from being sent but protects domain credentials.
3. Block outbound SMB (port 445) at the perimeter firewall — prevents NTLM credential theft via UNC paths to external servers.
4. Disable NTLM authentication where possible (use Kerberos), or configure NTLM relay protections (SMB signing, LDAP signing).
5. Enable Protected View for email attachments and review Group Policy settings that may have weakened Protected View protections.
6. Implement email security scanning to detect MonikerLink patterns in inbound email HTML content (file:// links with ! fragments).