← Back to Explore
sublimecriticalRule
Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
This rule detects messages containing links exploiting CVE-2024-21413, which can lead to RCE. Successful exploitation can bypass built-in Outlook protections for malicious links embedded in messages by using the file:// protocol and an exclamation mark to URLs pointing to attacker-controlled servers."
Detection Query
type.inbound
and any(body.links,
.href_url.scheme == "file"
and regex.icontains(.href_url.url, '\.[a-z]{2,4}(\.[a-z]{2,4})?!')
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
CVE-2024-21413
Raw Content
name: "Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability"
description: |
This rule detects messages containing links exploiting CVE-2024-21413, which can lead to RCE.
Successful exploitation can bypass built-in Outlook protections for malicious links embedded in messages by using the file:// protocol and an exclamation mark to URLs pointing to attacker-controlled servers."
references:
- "https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/"
- "https://www.bleepingcomputer.com/news/security/new-critical-microsoft-outlook-rce-bug-is-trivial-to-exploit/"
- "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21413"
type: "rule"
severity: "critical"
source: |
type.inbound
and any(body.links,
.href_url.scheme == "file"
and regex.icontains(.href_url.url, '\.[a-z]{2,4}(\.[a-z]{2,4})?!')
)
tags:
- "CVE-2024-21413"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Exploit"
detection_methods:
- "URL analysis"
id: "e8151426-6893-598b-a42c-6ab8c0d0621d"