Critical Severity
Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
Description
This rule detects messages containing links exploiting CVE-2024-21413, which can lead to RCE.
Successful exploitation can bypass built-in Outlook protections for malicious links embedded in messages by using the file:// protocol and an exclamation mark to URLs pointing to attacker-controlled servers."
References
Sublime Security
Created Feb 15th, 2024 • Last updated Feb 15th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and any(body.links,
.href_url.scheme == "file"
and regex.icontains(.href_url.url, '\.[a-z]{2,4}(\.[a-z]{2,4})?!')
)
Playground
Test against your own EMLs or sample data.