As part of this month's Patch Tuesday, Microsoft released a fix for a critical vulnerability affecting multiple Outlook versions.
The vulnerability, CVE-2024-21413 (aka MonikerLink), allows threat actors to bypass protections in Outlook for malicious links embedded in emails.
Successful exploitation can lead to theft of NTLM credential information and can be used in conjunction with other Office vulnerabilities to achieve remote code execution.
Additionally, it allows threat actors to bypass Protected View (which is designed to open Office documents in read-only mode) and instead open Office documents in editing mode.
For full details on the root cause of the vulnerability and proof-of-concept code, see the vulnerability research from Haifei Li here.
Administrators are strongly encouraged to apply the appropriate security updates from Microsoft. The Microsoft security advisory with security update links can be found here.
PacketWatch strongly recommends blocking outbound traffic over port 445 at the external firewall.
Additional Resources
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.