• Sublime Core Feed
Critical Severity

Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability

Labels

Malware/Ransomware
Evasion
Exploit
URL analysis

Description

This rule detects messages containing links exploiting CVE-2024-21413, which can lead to RCE.

Successful exploitation can bypass built-in Outlook protections for malicious links embedded in messages by using the file:// protocol and an exclamation mark to URLs pointing to attacker-controlled servers."

References

Sublime Security
Created Feb 15th, 2024 • Last updated Feb 15th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(body.links,
        .href_url.scheme == "file"
        and regex.icontains(.href_url.url, '\.[a-z]{2,4}(\.[a-z]{2,4})?!')
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started