A new Outlook vulnerability has been discovered that represents a significant risk–even if you do not open the email or click on a link. Ask your IT support team to implement the patch—or take precautions to protect yourself.

On January 14, 2025, security researchers at Trend Micro released information regarding a zero-day exploit discovered in most versions of Microsoft Outlook that could allow threat actors to execute malware on your system even if you don't open an attachment or click a link. We'll examine this vulnerability, CVE-2025-21298, and find out what all the fuss is about.

How serious is it?

Pretty serious. It was assigned a CVSS score of 9.8 (out of 10) due to the ability for Remote Code Execution (RCE) and the ease of possible exploitation.

How does it work?

This vulnerability exploits the Object Linking and Embedding (OLE) technology in Windows that allows for documents and other objects to be linked and embedded into emails and other documents. The threat actor creates an email with specially crafted malware in it, and the malware can be activated when the email displays in Outlook's "Preview" window if you're running an affected version of Outlook. 

What can I do about it?

Microsoft has released a patch, so updating Outlook to the newest version will solve the problem. However, if you can't update just yet, there are several workarounds:

1. RTF file attachments are risky. If you get one from an untrusted or unexpected source, treat it as a possible threat. 
2. Make sure your email accounts are configured to have the least possible privilege—daily-use email accounts should not have admin rights. This will prevent a bad day from becoming a worse day in the event of an attack.
3.  Read emails in "plain text" format. This will keep pictures, links, and specialized fonts from being used. Your email won't look as good, but on the other hand, you don't get hacked.

From your file menu, go to "Options."
 
Then go to Trust Center and click "Trust Center Settings."
 
From the "Email Security" tab, click "Read all standard mail in plain text."


If you're in a high-risk environment, also click "Read all digitally signed email in plain text."
 
Once you've confirmed that your Outlook has been patched and the vulnerability is remediated, you can follow the same path and uncheck the box to get your "regular" email appearance back.

Quick action on vulnerabilities such as this can mean the difference between safety and disaster; confirm with your IT staff or external provider to ensure that your mailbox is safe and up to date.

If you have questions about this new vulnerability or any other cyber security topics, RubinBrown's Cyber Security Services team has experts ready to assist. 
 

Published: 01/20/2025

_{^{Readers should not act upon information presented without individual professional consultation.}}

_{^{Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.}}