Moniker Link

Introduction

On February 13th, 2024, Microsoft announced a Microsoft Outlook RCE & credential leak vulnerability with the assigned CVE of CVE-2024-21413(Moniker Link). Haifei Li of Check Point Research is credited with discovering the vulnerability.

The vulnerability bypasses Outlook’s security mechanisms when handing a specific type of hyperlink known as a Moniker Link. An attacker can abuse this by sending an email that contains a malicious Moniker Link to a victim, resulting in Outlook sending the user’s NTLM credentials to the attacker once the hyperlink is clicked.

Moniker Link (CVE-2024-21413)

Outlook can render emails as HTML. You may notice this being used by your favourite newsletters. Additionally, Outlook can parse hyperlinks such as HTTP and HTTPS. However, it can also open URLs specifying applications known as Moniker Links. Normally, Outlook will prompt a security warning when external applications are triggered.

TO be continued ..