Microsoft has patched a critical zero-click Outlook vulnerability that security researcher Haifei Li calls an "enterprise killer," allowing attackers to execute code simply by sending an email that's read or previewed, with no clicking required. The flaw, tracked as CVE-2026-40361, is a use-after-free bug affecting Outlook's email rendering engine that bypasses firewalls and directly targets executives' inboxes, though developing a full working exploit remains challenging. Li recommends immediate patching and notes that switching Outlook to plain text mode is the only effective mitigation aside from the security update.