New MonikerLink Flaw Exposes Outlook Users to Data Theft and Malware

The #MonikerLink security flaw in Microsoft Outlook allows hackers to execute arbitrary code on the targeted device.

The #MonikerLink vulnerability (CVE-2024-21413) holds a CVSS score of 9.8 out of 10, indicating critical severity and high exploitability, potentially enabling system compromise with minimal user interaction.

Check Point Research (CPR) has discovered a critical security flaw in Microsoft Outlook. Dubbed the #MonikerLink; the vulnerability allows threat actors to execute arbitrary code on their targeted device. The research, detailed in a blog post, highlights the flaw’s potential to exploit the way Outlook processes certain hyperlinks.

The exploit is tracked as CVE-2024-21413 with a CVSS score of 9.8 out of 10, which means the vulnerability has critical severity and is highly exploitable, possibly allowing an attacker to compromise the system with minimal user interaction. This could lead to complete system compromise, denial of service, and data breach. Furthermore, an attacker could execute arbitrary code, steal data, and install malware. 

The issue occurs due to the way Outlook processes the “file://” hyperlinks, leading to severe security implications. Threat actors can execute unauthorized code on the targeted device. CPR’s research reveals that the #MonikerLink vulnerability misuses the Component Object Model (COM) on Windows, allowing unauthorized code execution and leaking of local NTLM credential information. 

The vulnerability exploits a user’s NTLM credentials to enable arbitrary code execution through the COM in Windows. When a user clicks on the malicious hyperlink, it connects to a remote server controlled by the attacker, compromising authentication details and potentially leading to code execution. This allows attackers to invoke COM objects and execute code on the victim’s machine remotely, bypassing the Protected View mode in Office applications.

Researchers studied three attack vectors for MS Windows-Outlook 2021: the “obvious” Hyperlink attack vector, the “normal” attachment attack vector, and the “advanced” attack vector. The “obvious” Hyperlink attack vector involves sending emails with malicious web hyperlinks, posing security risks in browsers.

The “normal” attachment attack vector involves the attacker sending a malicious email and luring the victim to open the attachment. The Advanced attack vector, the Email Reading attack vector, triggers security problems when the victim reads an email on Outlook.

Microsoft Outlook, one of the world’s most popular Microsoft Office suite apps, has become a critical gateway for introducing cyber threats into organizations. Microsoft’s Threat Protection Intelligence team discovered a critical vulnerability (CVE-2023-23397) in Outlook in March 2023 which threat actor Forest Blizzard was exploiting to steal Net-NTLMv2 hashes and access user accounts.

According to CPR’s blog post, the company has confirmed the latest vulnerability in Microsoft 365 environments and notified the Microsoft Security Response Center. Microsoft is yet to respond to the issue. will update readers as soon as more details are shared with the cybersecurity community.

This vulnerability, which extends beyond Outlook, poses a significant risk to organizational security. Both users and organizations are advised to apply patches, follow security practices, and remain vigilant against suspicious emails.

  1. Microsoft Outlook bug expose Windows credentials to hackers
  2. StrelaStealer Malware Hijacking Outlook, Thunderbird Accounts
  3.  Chinese Hackers Stole Signing Key to Breach Outlook Accounts
  4. New variant of MassLogger Trojan stealing Chrome, Outlook data
  5. Microsoft Teams External Access Abuses to by DarkGate Malware
Related Posts