From 995df52f47284d130b8cbf57d08c31e927e44c09 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 17 Feb 2024 10:53:38 +0100
Subject: [PATCH] Create expl_outlook_cve_2024_21413.yar

---
 yara/expl_outlook_cve_2024_21413.yar | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 yara/expl_outlook_cve_2024_21413.yar

diff --git a/yara/expl_outlook_cve_2024_21413.yar b/yara/expl_outlook_cve_2024_21413.yar
new file mode 100644
index 00000000..86611474
--- /dev/null
+++ b/yara/expl_outlook_cve_2024_21413.yar
@@ -0,0 +1,18 @@
+
+rule EXPL_CVE_2024_21413_Microsoft_Outlook_RCE_Feb24 {
+   meta:
+      description = "Detects emails that contain signs of a method to exploit CVE-2024-21413 in Microsoft Outlook"
+      author = "Florian Roth"
+      reference = "https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability/"
+      date = "2024-02-17"
+      score = 75
+   strings:
+      $a1 = "Subject: "
+      $a2 = "Received: "
+
+      $xr1 = /href[\s=3D"']{2,20}file:\/\/\/\\\\[^"']{6,200}!/
+   condition:
+      filesize < 800KB
+      and all of ($a*)
+      and 1 of ($xr*)
+}