Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability

calendar Feb 15, 2024 · CVE-2024-21413  ·
Share on: linkedin copy

This rule detects messages containing links exploiting CVE-2024-21413, which can lead to RCE.

Successful exploitation can bypass built-in Outlook protections for malicious links embedded in messages by using the file:// protocol and an exclamation mark to URLs pointing to attacker-controlled servers."

Sublime rule (View on GitHub)

 1name: "Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability"
 2description: |
 3  This rule detects messages containing links exploiting CVE-2024-21413, which can lead to RCE.
 4
 5  Successful exploitation can bypass built-in Outlook protections for malicious links embedded in messages by using the file:// protocol and an exclamation mark to URLs pointing to attacker-controlled servers."  
 6references:
 7  - "https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/"
 8  - "https://www.bleepingcomputer.com/news/security/new-critical-microsoft-outlook-rce-bug-is-trivial-to-exploit/"
 9  - "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21413"
10type: "rule"
11severity: "critical"
12source: |
13  type.inbound
14  and any(body.links,
15          .href_url.scheme == "file"
16          and regex.icontains(.href_url.url, '\.[a-z]{2,4}(\.[a-z]{2,4})?!')
17  )  
18
19tags:
20  - "CVE-2024-21413"
21attack_types:
22  - "Malware/Ransomware"
23tactics_and_techniques:
24  - "Evasion"
25  - "Exploit"
26detection_methods:
27  - "URL analysis"
28id: "e8151426-6893-598b-a42c-6ab8c0d0621d"
to-top