| Item |
Value |
| ID |
DET0029 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1137.003 (Outlook Forms)
Analytics
Windows
AN0085
Adversary uses a tool like Ruler to insert a malicious custom form into the user’s Outlook mailbox. The form is designed to auto-execute on Outlook startup or on receipt of a specially crafted email. This results in child processes launched from outlook.exe and possibly network connections or payload loading.
Log Sources
Mutable Elements
| Field |
Description |
| FormStorageLocation |
Malicious forms may be stored in various user-specific locations in the Outlook mailbox (e.g., IPM.Note class) |
| ChildProcessName |
Child process spawned by outlook.exe may vary (e.g., powershell.exe, rundll32.exe, mshta.exe) |
| TimeWindow |
Form-triggered execution may happen immediately upon Outlook startup or with delay after crafted message arrival |
| OutlookVersion |
Form behavior and error logs may vary across Outlook 2013, 2016, and M365 builds |
| UserContext |
Attack may target only specific users; contextual correlation needed for account baselining |
Office Suite
AN0086
Outlook form execution upon message receipt or client launch results in automated code execution within user session. Form definitions deviate from standard templates and include script logic or COM object calls embedded in form fields.
Log Sources
Mutable Elements
| Field |
Description |
| AuditPolicyScope |
Not all tenants may enable audit logs of custom form activity or COM component usage in Office |
| MessageSenderAnomalyThreshold |
Ruler-style delivery may come from external accounts with forged headers or low reputation |
| FormExecutionRate |
Frequency of form triggers may be anomalously high compared to baseline Outlook usage |