Article Details
Scrape Timestamp (UTC): 2025-02-06 18:19:18.593
Original Article Text
Click to Toggle View
Critical RCE bug in Microsoft Outlook now exploited in attacks. CISA warned U.S. federal agencies on Thursday to secure their systems against ongoing attacks targeting a critical Microsoft Outlook remote code execution (RCE) vulnerability. Discovered by Check Point vulnerability researcher Haifei Li and tracked as CVE-2024-21413, the flaw is caused by improper input validation when opening emails with malicious links using vulnerable Outlook versions. The attackers gain remote code execution capabilities because the flaw lets them bypass the Protected View (which should block harmful content embedded in Office files by opening them in read-only mode) and open malicious Office files in editing mode. When it patched CVE-2024-21413 one year ago, Microsoft also warned that the Preview Pane is an attack vector, allowing successful exploitation even when previewing maliciously crafted Office documents. As Check Point explained, this security flaw (dubbed Moniker Link) lets threat actors bypass built-in Outlook protections for malicious links embedded in emails using the file:// protocol and by adding an exclamation mark to URLs pointing to attacker-controlled servers. The exclamation mark is added right after the file extension, together with random text (in their example, Check Point used "something"), as shown below: CVE-2024-21413 affects multiple Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019, and successful CVE-2024-21413 attacks can result in the theft of NTLM credentials and the execution of arbitrary code via maliciously crafted Office documents. On Thursday, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, marking it as actively exploited. As mandated by the Binding Operational Directive (BOD) 22-01, federal agencies must secure their networks within three weeks by February 27. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the cybersecurity agency warned. While CISA primarily focuses on alerting federal agencies about vulnerabilities that should be patched as soon as possible, private organizations are also advised to prioritize patching these flaws to block ongoing attacks.
Daily Brief Summary
CISA issued a warning to U.S. federal agencies about ongoing attacks exploiting a critical vulnerability in Microsoft Outlook, identified as CVE-2024-21413.
The flaw, discovered by Check Point researcher Haifei Li, allows remote code execution due to improper input validation in handling emails with malicious links.
Microsoft had previously patched this vulnerability and warned that the Preview Pane could serve as an attack vector, facilitating exploit without opening the email.
Attackers are utilizing the Moniker Link technique to bypass Outlook’s Protected View and execute arbitrary code through malicious Office documents.
The vulnerability impacts several Microsoft Office products including Office LTSC 2021, Microsoft 365 Apps for Enterprise, and Outlook 2016.
Exploitation of this vulnerability can lead to theft of NTLM credentials and execution of arbitrary code by opening specially crafted Office documents.
CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog and mandated federal agencies to secure their systems within three weeks.
CISA also advises private organizations to prioritize patching this flaw to mitigate potential risks associated with these exploits.