Moniker Link (CVE-2024-21413)

Moniker Link (CVE-2024-21413)

Celia Catalán



On February 13, 2024, Microsoft reported a vulnerability in its Outlook application. I identified this vulnerability with CVE-2024-21413, whose criticality was classified as 9.8 (critical). The affected versions are:

Edition Version
Microsoft Office LTSC 2021 Affected since version 19.0.0
Microsoft 365 Apps for Enterprise Affected since version 16.0.1
Microsoft Office 2019 Affected since version 16.0.1

This vulnerability is possible by avoiding the Protected View option in Outlook, a feature that limits reading access, thus preventing malicious scripts such as macros from being executed on the system.

The vulnerability bypasses Outlook's security mechanisms by using a specific type of hyperlink called Moniker Link, which gives the vulnerability its name. The attacker can exploit this vulnerability by sending an email containing the Moniker Link to a victim. When the victim clicks on the link, it sends NetNTLMv2 credentials to the attacker.  

Within a controlled environment it was possible to replicate the vulnerability step by step. The first step in understanding the vulnerability is to know that using the Moniker Link: file:// in Outlook can cause the victim to attempt to access a file on a shared network. For this, the SMB protocol is used, which requires the user's credentials, so Outlook's Protected View blocks the link. However, by using the “!” You can bypass this Outlook security measure. The resulting code to exploit the vulnerability would be:


Once this is understood, the next thing to do is set up an SMB listener on the attacker's machine.


In addition to this, we create a file, where we are going to enter the exploit code, which can be easily found on github (https://github.com/CMNatic/CVE-2024-21413).


Modifications to be made:
  • Modify the Moniker link on line 12 to reflect the IP of the attacker's machine
  • Change the MAILSERVER on line 31 to the machine's IP

Once all changes have been made, save the script and run it. When the unwitting user clicks on the hyperlink, they attempt to connect to a non-existent network share. As such, we can capture the NetNTLMv2 hash because clicking attempts a connection.



With this, the exploitation of the Moniker Link vulnerability would have been successfully completed. 
To avoid this type of attacks, it is recommended:
  • Do not click on emails whose origin we do not know
  • Preview emails before clicking on suspicious links
And that's the end of the post for today, thanks for the time and until next time!

Jorge Ezequiel de Francisco , Cybersecurity Analyst at Zerolynx .
return to blog

Leave a comment

Please note that comments must be approved before they are published.