KQL Search

Query Details

HomeAI ToolsDevice Query

Windows OLE Zero Click Vulnerability Let Attacker To Execute Arbitrary Code

Query

**Critical Windows OLE Zero-Click Vulnerability Let Attacker to Execute Arbitrary Code**

**Description:** A serious security flaw, tracked as CVE-2025-21298, has been found in Microsoft's Windows OLE technology.
This zero-click bug, rated 9.8 on the CVSS scale, lets attackers remotely run malicious code by targeting Microsoft Outlook and other apps—no user interaction needed.

The issue lies in how a specific function handles OLE objects inside RTF files. Attackers can take advantage of this by sending a malicious email with an RTF attachment. Just opening or even previewing the email in Microsoft Outlook is enough to trigger the exploit, letting attackers run code on the system without any user action needed.

This KQL Query helps to detect emails received with a .RTF file attached. It includes the option to whitelist some TrustedDomains to avoid False Positives.
```
EmailAttachmentInfo
| where FileName endswith ".rtf"
| join kind=inner (EmailEvents) on $left.NetworkMessageId == $right.NetworkMessageId
| extend Geo_IP = tostring(geo_info_from_ip_address(SenderIPv4).country)
| where SenderMailFromDomain !in ("trusteddomain1","trusteddomain2")
| summarize make_set(RecipientEmailAddress) by SenderDisplayName, SenderFromAddress, SenderIPv4,Geo_IP, FileName, Subject
```

Explanation

This KQL query is designed to help identify potentially malicious emails that exploit a critical security vulnerability in Windows OLE technology. Here's a simple breakdown of what the query does:

  1. Targeting RTF Attachments: The query looks for emails that have attachments with the ".rtf" file extension. These files are associated with the vulnerability.

  2. Joining Email Data: It combines data from email attachments and email events to ensure that the information is related to the same email message.

  3. Geolocation Information: The query extracts the country information based on the sender's IP address, providing geographical context.

  4. Excluding Trusted Domains: To reduce false alarms, it excludes emails from certain trusted domains specified in the query (e.g., "trusteddomain1", "trusteddomain2").

  5. Summarizing Results: Finally, it summarizes the findings by listing the recipients of such emails, along with details about the sender (name, email address, IP address, country), the file name of the attachment, and the email subject.

Overall, this query helps security teams detect and investigate emails that might exploit the described vulnerability by sending RTF attachments, while allowing for some customization to avoid unnecessary alerts.

Details

Sergio Albea profile picture

Sergio Albea

Released: February 4, 2025

Tables

EmailAttachmentInfoEmailEvents

Keywords

EmailAttachmentInfoEventsNetworkMessageIdGeoIPAddressSenderIPv4RecipientEmailAddressSenderDisplayNameSenderFromAddressSubject

Operators

endswithjoinonextendtostringwhere!insummarizemake_setby

Actions