CVE-2024-21378 Detection: Vulnerability in Microsoft Outlook Leads to Authenticated Remote Code Execution

Hot on the heels of nasty JetBrains TeamCity vulnerabilities (CVE-2024-27198, CVE-2024-2719), security experts reveal a new RCE affecting Microsoft Outlook. Authenticated adversaries might leverage the security issue to execute malicious code on the impacted instance, achieving extensive control over it. Although the vulnerability was patched by Microsoft in February 2024, the vendor classifies it as “Exploitation More Likely”, especially in view of a recent proof-of-concept (PoC) release.

Detect CVE-2024-21378 Exploitation Attempts

In light of CVE-2024-21378 potentially weaponized for in-the-wild campaigns, it’s vital for cyber defenders to defend proactively and spot suspicious activity at the earliest possible stages of the attack development. SOC Prime Platform aggregates a set of curated Sigma rules to identify malicious activity linked to Microsoft Outlook vulnerability exploitation. 

Possible CVE-2024-21378 (Remote Code Execution in Microsoft Outlook) Exploitation Attempt (via registry_event)

Possible CVE-2024-21378 (Remote Code Execution in Microsoft Outlook) Exploitation Attempt (via process_creation)

Possible CVE-2024-21378 (Remote Code Execution in Microsoft Outlook) Exploitation Attempt (via file_event)

The rules by the SOC Prime Team detect operations related to an Outlook form and a file change in a specific path related to it that could be used to place malicious DLL files. All detections are compatible with 28 SIEM, EDR, XDR, and Data Lake technologies and mapped to MITRE ATT&CK framework v14.1 addressing Defense Evasion tactic, with Hijack Execution Flow (T1574) as a main technique.

Security professionals seeking ways to supercharge their cyber resilience against emerging threats of any scale, including trending CVEs, might dive into the entire collection of detection algorithms addressing vulnerability exploitation. Just hit the Explore Detections button below and drill down to the rules list enriched with extensive metadata and tailored intelligence. 

Explore Detections

CVE-2024-21378 Analysis: Remote Code Execution in Microsoft Outlook

Back in 2023, researchers at NetSpi discovered an authenticated remote code execution vulnerability impacting Microsoft Outlook. The flaw tracked as CVE-2024-21378 enables hackers to execute malicious code on the affected system. Yet, to exploit the issue, threat actors require authentication with LAN access and a valid access token for an Exchange user. Further, a targeted user is tricked into interacting with a crafted file to trigger subsequent attack steps. 

Notably, exploitation relies on the attack vector described by Etienne Stalmans at SensePost back in 2017. This method leverages VBScript code within Outlook form objects to reach RCE with access to the mailbox. Although Microsoft has addressed the issue with relevant patching, the vulnerable synchronization function of the form objects has never been altered, which resulted in Outlook’s security gap in the limelight.  

The flaw was reported to Microsoft in 2023, and the vendor patched it in all supported Outlook versions on February 13, 2024. On March 11, NetSpi researchers shared an overview of the flaw, including details on the related PoC code. 

With the details of the CVE-2024-21378 publicly accessible on the web, the risk of potential exploitation is growing, which fuels ultra-responsiveness from defenders. Leveraging SOC Prime’s Attack Detective, security engineers can elevate the organization’s cybersecurity posture by timely identifying cyber defense blind spots, identifying proper data to collect to address these gaps and optimize SIEM ROI, and prioritizing detection procedures before adversaries have a chance to strike.