KQL Search

Query Details

HomeAI ToolsDevice Query

CVE 2025 21298 Zero Click RCE

Query

// https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21298

let InboundRTF =
EmailAttachmentInfo
| where FileType == "rtf"
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound" and LatestDeliveryAction != "Blocked"
| distinct FileName;
let VulnerableEP =
DeviceTvmSoftwareVulnerabilities 
| where CveId == "CVE-2025-21298"
| distinct DeviceName;
DeviceFileEvents 
| where ActionType == "FileCreated" and FileName endswith ".rtf"
| where InitiatingProcessFileName == "outlook.exe"
| where parse_json(AdditionalFields)["FileType"] == 'Rtf'
| where FileName has_any(InboundRTF) and DeviceName has_any(VulnerableEP)

Explanation

This KQL query is designed to identify potential security risks related to a specific vulnerability (CVE-2025-21298) involving RTF (Rich Text Format) files received via email. Here's a simplified breakdown of what the query does:

  1. Identify Inbound RTF Attachments:

    • It first looks at email attachments that are RTF files and were received (inbound) without being blocked.
    • It collects the distinct file names of these RTF attachments.

  2. Identify Vulnerable Devices:

    • It then checks for devices that have a known vulnerability (CVE-2025-21298) and collects the names of these devices.

  3. Detect Risky File Creation Events:

    • Finally, it searches for events where an RTF file was created on a device.
    • It ensures that the file was created by the Outlook application and that the file type is confirmed as RTF.
    • It checks if the file name matches any of the inbound RTF attachments and if the device name matches any of the vulnerable devices identified earlier.

The overall goal of the query is to find instances where a potentially malicious RTF file, received via email, was created on a device that is vulnerable to a specific security threat.

Details

Steven Lim profile picture

Steven Lim

Released: January 20, 2025

Tables

EmailAttachmentInfoEmailEventsDeviceTvmSoftwareVulnerabilitiesDeviceFileEvents

Keywords

EmailAttachmentInfoEmailEventsDeviceTvmSoftwareVulnerabilitiesDeviceFileEventsFileNameNetworkMessageIdEmailDirectionLatestDeliveryActionCveIdDeviceNameActionTypeInitiatingProcessFileNameAdditionalFieldsFileType

Operators

let==|joinonand!=distinctendswithparse_jsonhas_any

Actions