- A vulnerability in Microsoft Outlook allowed threat actors to distribute malware via email
- The bug abuses the Windows object linking and embedding feature.
- A patch is now available and users are advised to apply it as soon as possible.
Microsoft has released a patch for a critical vulnerability that allowed threat actors to distribute malware through its Outlook email client, and given the severity of the flaw, users are recommended to install the patch immediately.
In a security advisory, Microsoft detailed CVE-2025-21298, a use-after-free vulnerability with a severity score of 9.8/10 (critical). Use-after-free is a vulnerability where threat actors can use previously freed memory, allowing them to corrupt valid data or, in this scenario, remotely distribute malware.
Located in Windows’ Object Linking and Embedding (OLE) feature, the bug means that simply viewing a malicious email in the preview pane is enough to infect the terminal with malware. Windows OLE is a technology that allows you to embed and link documents and other objects. For example, users can embed an Excel chart in a Word document and updates to the Excel file will be reflected in the Word document, if they are linked.
Specially designed emails
“In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email to the victim,” Microsoft explained in the advisory.
“Exploitation of the vulnerability could involve a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or the victim’s Outlook application displaying a preview of a specially crafted email. This could cause the attacker to execute remote code on the victim’s machine.”
For those who can’t apply the patch immediately, Microsoft suggests a number of mitigation measures, including displaying emails as plain text and, on large LANs, restricting NTLM traffic or disabling it entirely. Viewing emails as plain text means that other multimedia elements, such as images, animations, or different fonts, will not be displayed.
However, it is worth it, as malware delivered this way can cause serious business disruption, loss of customers, and possibly even regulatory fines.
Through NotebookChecking
