Skip to content
feed: live about
>_ 0dayNews
microsoft
Explainer

The Outlook 'MonikerLink' Bug: One Click, Protected View Bypassed

CVE-2024-21413 let attackers bypass Outlook's Protected View sandbox with a single specially crafted hyperlink, leading to code execution and potential credential leakage. Patched in February 2024's Patch Tuesday.

The Outlook 'MonikerLink' Bug: One Click, Protected View Bypassed
Photo: Winston Chen / Unsplash · Unsplash License
0day News Desk · Published · 1 min read

Most enterprise phishing defenses assume that even if a user clicks something they shouldn’t, sandboxing and content protections will limit the damage. CVE-2024-21413 — nicknamed “MonikerLink” by Check Point Research, which discovered and reported it — broke that assumption for Microsoft Outlook with a single click.

How the bug works

Outlook normally opens untrusted file attachments and links inside Protected View, a sandboxed mode that strips out active content and limits what a document can do until the user explicitly trusts it. MonikerLink found a way around that: by crafting a hyperlink using the file:// moniker syntax with a specific exclamation-mark suffix appended, an attacker could cause Outlook to open the referenced file directly, completely bypassing Protected View.

The consequences ranged from remote code execution to, in some configurations, leaking the user’s NTLM credential hash to an attacker-controlled server — useful for relay attacks even without full code execution.

Disclosure and patch

Microsoft patched CVE-2024-21413 as part of its February 2024 Patch Tuesday release, assigning it a CVSS score of 9.8. Unlike several other vulnerabilities covered by this desk, Microsoft did not confirm active in-the-wild exploitation at time of disclosure — but security teams treated it as a same-week priority patch regardless, given how trivial the trigger condition was (one click on a link inside an email) and how often Protected-View-bypass techniques get weaponized shortly after public disclosure.

Why it mattered

Outlook remains one of the most widely deployed email clients in enterprise environments, and email is still the dominant initial-access vector for ransomware and business email compromise campaigns. A bug that defeats a core anti-exploitation control with a single click — no macro, no attachment download, just a link — is precisely the kind of flaw that lowers the bar for a successful phishing campaign from “convince someone to enable macros” to “convince someone to click.”

Full technical writeup and the patch itself are documented in Microsoft’s MSRC advisory and the linked NVD record.

This article describes the vulnerability and its real-world impact only — it does not include exploit code or step-by-step attack instructions.

Found this useful? Share it.