top of page

Microsoft Outlook Remote Code Execution (CVE-2024-21413)

Application Details

Microsoft Outlook is an application that's used mainly to send and receive emails. It's also used to manage various types of personal data including calendar appointments and similar entries, tasks, contacts, and notes.


Microsoft Outlook could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper neutralization of user-supplied input by the Preview Pane feature.


An attacker could exploit this vulnerability to bypass the Protected View Protocol, obtain local NTLM credentials, and execute arbitrary code with elevated privileges on the system. By modifying a hyperlink with the "!" character and additional text in the Moniker Link the attacker is able to bypass Outlook's Protected View. This allows the attacker's remote resource to be accessed without triggering any warnings.

An example payload sent as an email:

<h1><a href=\"file:///\\!meeting\">Meeting - click here.</a></h1>

By turning this into a traffic file and matching rule, we are able to detect attempts to execute arbitrary code on the system.


Idappcom have created signature 8024675 along with a traffic file for this vulnerability.


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here:


bottom of page