CISA Warning Highlights Actively Exploited Critical Vulnerability in Microsoft Outlook

A CISA warning to federal agencies has put a spotlight on a critical Microsoft Outlook vulnerability that allows for remote code execution and can grant an attacker control over a target system. The flaw can be exploited by simply opening a tainted Office file, and CISA notes that it has been exploited in the wild.

Vulnerable Outlook versions can be exploited by malicious email links

CISA has warned federal agencies to expect active attempts to exploit CVE-2024-21413, a flaw that causes certain versions of Outlook to not properly validate input when opening email links. These include (but are not limited to) Microsoft 365 Apps for Enterprise, Microsoft Office LTSC 2021, and Microsoft Outlook 2016.

Under normal circumstances, Office files opened from an email would automatically be viewed in read-only mode to defend against this exact sort of attack. However, the flaw lets the attackers bypass the “Protected Mode” feature that is supposed to engage and have the malicious files they link to opened in editing mode instead. This then opens the door to remote code execution. And the attack is not at all technically advanced, essentially only requiring the threat actor to add an exclamation point at the right place in the URL.

Researchers with Check Point were the first to document this flaw, calling it “Moniker Link,” and they believe it may be a long-overlooked issue in the Windows/COM ecosystem that impacts an even greater range of Outlook versions that possibly date back “decades.” It has been given a CVSS score of 9.8 and assessed as allowing arbitrary code execution at the Medium integrity level. Other software that uses the impacted API in the same way may also be vulnerable to this approach, though Check Point has not named anything specific as of yet.

Flaw exploited in the wild, but victim count and damage unknown

CISA has added Moniker Link to its Known Exploited Vulnerabilities (KEV) Catalog, something only done when there has been confirmed exploitation in the wild. However, there remains little information available to the public about who was breached and how bad the damage was. Federal agencies are now required to ensure patching has taken place and harden against the vulnerability, however.

Given that a broad range of older versions of Outlook seem to be impacted, it is prudent for anyone using the service to check to see if their version is vulnerable and requires patching. This can be done by opening Outlook and going to the File > Account > Product Information menu. The version number of Outlook should be listed under the “About Outlook” details. If the version number of Microsoft 365 Apps is at Version 2401 (Build 17231.20236) or later, the vulnerability has been patched out. For older products, Microsoft has issued individual advisories that should be consulted. One other potential mitigation lies in the fact that Moniker Link will not work if the victim’s network does not allow outbound SMB traffic.