Dangerous Microsoft Outlook flaw could let hackers send out malware via email

(Image credit: Shutterstock)

A vulnerability in Microsoft Outlook allowed threat actors to distribute malware via email
The bug abuses the Windows Object Linking and Embedding function
A patch is already available, and users are advised to apply it ASAP

Microsoft has released a patch for a critical vulnerability that allowed threat actors to distribute malware through its Outlook email client - and given the severity of the flaw, users are advised to install the patch immediately.

In a security advisory, Microsoft detailed CVE-2025-21298, a use-after-free vulnerability with a severity score of 9.8/10 (critical). Use after free is a vulnerability in which threat actors are able to use previously freed memory, which allows them to corrupt valid data, or in this scenario - distributing malware remotely.

Located in the Windows Object Linking and Embedding (OLE) function, the bug means simply viewing a malicious email in the preview pane is enough to have the endpoint infected with malware. Windows OLE is a technology that allows embedding and linking to documents and other objects. For example, users could embed an Excel chart into a Word document, and updates in the Excel file will reflect in the Word document, if linked.

Specially crafted emails

“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim,” Microsoft explained in the advisory.

“Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim's Outlook application displaying a preview of a specially crafted email . This could result in the attacker executing remote code on the victim's machine.”

For those that cannot apply the patch immediately, Microsoft suggests a number of mitigations, including viewing emails as plain text and, in large LAN networks, restricting NTLM traffic, or disabling it altogether. Viewing emails as plain text means other multimedia, such as images, animations, or different fonts, will not be displayed.

It’s worth the trouble, though, since the malware sent this way can cause severe business disruptions, loss of customers, and possibly even regulatory fines.

Via NotebookCheck

This new malware campaign can hijack your Gmail or Outlook email account
Here's a list of the best antivirus tools on offer
These are the best endpoint protection tools right now

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.