Exploits Target Office CVE-2024-21413 Flaw Microsoft Patched a Year Ago

Attackers are targeting a critical remote code execution vulnerability in Outlook for which Microsoft released a fix a year ago, and CISA is warning federal agencies to patch it as quickly as possible.

There are no specific details about the exploit attempts, but an adversary who can successfully exploit this bug can gain high privileges on the target machine, including the ability to read, write, and delete information. 

CVE: CVE-2024-21413

Why It Matters: Researchers at Check Point discovered and disclosed the vulnerability to Microsoft, which released a fix for it in February 2024. The details of the flaw have been public for a year, which means adversaries have had plenty of time to assess it, develop an exploit, and find vulnerable targets.

Because the flaw affects Outlook, there are bound to be plenty of targets to go around. When Microsoft released the update to address this vulnerability last year, it noted that the attack complexity was low, but that exploitation was unlikely. 

Key Details

• The vulnerability lies in the way that Outlook handles certain kinds of links, specifically those that start with the file:// prefix. Adding a specific character to a URL that uses this protocol can allow an attacker to bypass some of the built-in security protections in Outlook. “Such a link will bypass the previously discussed existing Outlook security restriction, and Outlook will continue to access the remote resource “\\10.10.111.111\test\test.rtf” when the user clicks the link,” the Check Point analysis says. 

• A successful exploit would bypass the Protected View feature in Outlook, which would then leak the local NTLM credentials and lead to remote code execution

• The vulnerability affects Office 2016 32-bit and 64-bit editions, Office 365, Office 2019, and Office LTSC 2021

• CISA added this vulnerability to its Known Exploited Vulnerabilities catalog on Feb. 6

How the Attack Works

The vulnerability stems from how Outlook processes certain types of hyperlinks—specifically, file:// protocol links that reference remote files. While Outlook typically prevents direct access to such links, adding an exclamation mark (!) and arbitrary text at the end of the file path bypasses these protections.

Exploitation Process:

1. An attacker sends a malicious email with a specially crafted file:// link.

2. When the user clicks the link, Outlook attempts to access the remote file via SMB, leaking the user's NTLM hash in the process.

3. The attack bypasses Protected View, meaning an attacker can potentially execute code remotely without user interaction beyond clicking the link.

Key Technical Details:

• The bug leverages COM Monikers, an old Windows mechanism that allows applications to look up and execute objects.

• The attack forces Microsoft Word to open a remote RTF file, creating an avenue for code execution if the document contains an exploit.

• Outlook fails to recognize the modified file:// link as a security risk, allowing the attack to succeed.

Affected versions:

• Office 2016 (32-bit & 64-bit)

• Office 2019

• Office LTSC 2021

• Microsoft 365 (all versions as of early 2024)

What You Should Do Now

Security teams should immediately apply the patch and take additional steps to harden Outlook against similar attacks.

Mitigation & Security Best Practices

1. Apply Microsoft's patch for CVE-2024-21413 – Available since February 2024.

2. Block outbound SMB traffic – Prevents NTLM credential leaks.

3. Disable automatic hyperlink handling – Enforce policies that prevent users from clicking on file:// links.

4. Monitor NTLM authentication requests – Look for anomalous network activity that may indicate exploitation attempts.

CISA has urged federal agencies to apply the patch by February 6, 2025, emphasizing the growing risk of exploitation.