Microsoft Outlook RCE bug exploited in the wild: security alert issued

A critical remote code execution threat

A newly discovered remote code execution vulnerability in Microsoft Outlook, tracked as CVE-2024-21413,^[1] has been actively exploited by cybercriminals. The flaw could be exploited by attackers to execute arbitrary code remotely by sending a specifically crafted email containing malicious links. The vulnerability allows the attackers to bypass various security protections and execute harmful scripts without requiring any direct user interaction, which is really dangerous.

Security researchers have discovered that the exploit takes advantage of how Outlook processes hyperlinks in emails. By default, Outlook's Protected View mode limits potentially dangerous content by opening documents in read-only mode.

But attackers have figured out how to bypass these restrictions so that the malware payloads are triggered automatically upon preview of an email. This kind of zero-click attack vector means that users are compromised merely by receiving and previewing an email and do not need to open an attachment.

The effect of this vulnerability is critical, with possibilities of unauthorized entry into business networks, theft of confidential information, and the delivery of ransomware or other malware. Given the prevalent adoption of Outlook by businesses and government agencies, the attack surface is enormous.

The issue has been recognized by Microsoft and security updates have been deployed to defend against the threat; however, numerous systems are still vulnerable because of delayed updates or unawareness among users.

CISA's advisory

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory warning that the CVE-2024-21413 vulnerability is being actively exploited in cyberattacks. Government agencies and security firms have reported incidents where attackers leveraged this flaw to compromise enterprise systems:^[2]

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Thus, CISA has included this vulnerability in its catalog of Known Exploited Vulnerabilities, calling for organizations to take action patching their systems.

Incidents have shown that spear-phishing campaigns compromise companies, government offices, and critical infrastructure entities through the actions of attackers. Emails with embedded links that exploit unpatched vulnerabilities are the methods of such attacks. Upon execution of the malicious code, it can give the attackers remote access to the compromised system, further enabling them to conduct malicious activities such as data exfiltration or installation of more malware.

Microsoft took action by releasing patches for the vulnerable versions of Outlook, which include Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019.^[3] However, organizations that haven't yet applied the patches are still at risk. Security professionals advise prompt patching, as well as the installation of other security measures designed to identify and block exploitation attempts.

Mitigation strategies and security best practices

In order to stay safe from this critical vulnerability, every outlook version should be updated with the latest security patch. Microsoft has provided fixes through its February 2024 Patch Tuesday^[4] updates, and users are strongly advised to install them as soon as possible.

Beyond patching, additional security measures can help mitigate the risk. Disabling NTLM authentication where feasible can prevent attackers from leveraging credential theft techniques.

Organizations should also monitor network traffic for any unusual outbound connections, as these could be indicative of attempted exploits. Implementing email security solutions that are capable of detecting and blocking malicious emails before they reach end users can further reduce the risk of infection.

Lastly, user awareness and training remains crucial in the defense against phishing-based exploits. Employees should be educated on the risks of clicking on unexpected links, even in emails that may appear legitimate.

IT administrators should apply security policies to minimize exposure to potentially harmful content and make sure endpoint protection solutions, such as Microsoft Defender, are correctly configured to detect and block exploit attempts. In active exploitation scenarios like this by cybercriminals, proactive security measures would be highly advisable to reduce the likelihood of a successful attack.