Check Point Email Security | Blog

Latest Zero-Click Attack in Outlook Delivers Instant Malware

Written by John Macario | June 20, 2024

Earlier this year, we reported on Zero-Click Attacks in Microsoft Outlook that could compromise a user without them taking any action. Cyber Security News recently reported a new version of this critical attack, designated as CVE-2024-30103.

When exploited, this vulnerability allows attackers to execute arbitrary code by sending a specially crafted email. The danger is amplified by the fact that most Outlook users have the software auto-open the email in the preview when they select it or after they respond to a previous email.

Morphisec discovered this critical issue on April 3rd and promptly reported it to Microsoft. They confirmed the vulnerability on April 16th and issued a patch on June 11th as part of Microsoft’s Patch Tuesday Updates

According to Morphisec’s analysis, the vulnerability lies in how Outlook processes certain email components. When an email is opened, a buffer overflow is triggered, allowing the attacker to execute code with the same privileges as the user. Per Morphisec, “This can lead to a full system compromise, data theft, or further propagation of malware within a network.”

Because Outlook is widely used, any vulnerability will be attacked broadly, and an exploit could lead to data breaches, ransomware, and damaged corporate reputations. 

These attacks are particularly risky because they don’t rely on an end-user mistake. As soon as the email is opened through a click or gets the focus and is presented in the preview pane, it is game over. In addition, post-delivery email security solutions that don’t stop this exploit before it is delivered to the inbox are often completely ineffective in blocking these attacks.

“Zero-Click is the perfect phishing attack because it doesn’t have to fool anyone. That is why hackers will continue to search for vulnerabilities that can create the perfect phish,” says Nicholas O’Hara, Check Point’s Head of Security Engineering for the Americas. “Post-delivery solutions are unable to stop these attacks. There are enough of them at this point that we recommend organizations that rely on post-delivery email security tools to re-evaluate this approach.”

Harmony Email and Collaboration, implanted in full protect mode, will prevent these attacks from ever reaching the user’s inbox. Check Point also recommends that organizations ensure Outlook has been patched for all users with the recent update and continues to be properly patched in the organization.