Skip to content

DET0177 Detect Persistence via Outlook Home Page Exploitation

Item Value
ID DET0177
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1137.004 (Outlook Home Page)

Analytics

Windows

AN0502

Adversary uses a tool like Ruler to configure a malicious Outlook folder Home Page that loads a remote or embedded HTML payload upon folder interaction. Execution chain begins with Outlook launching, a specific folder being accessed, and a suspicious child process being spawned or COM-based execution invoked.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Application Log Content (DC0038) WinEventLog:Application Outlook logs indicating failure to load or render HTML page in Home Page view
Command Execution (DC0064) WinEventLog:PowerShell Execution of PowerShell script to enumerate or remove malicious Home Page folder config
Mutable Elements
Field Description
TargetFolder Home Page can be configured on any folder like Calendar, Inbox, or custom folders
HTMLPayloadLocation The Home Page URL may point to internal or external content, hosted on trusted or unknown domains
ChildProcessName Execution may result in launch of scripting hosts (e.g., mshta.exe, wscript.exe) from outlook.exe
TimeWindow Execution may occur only when the specific folder is accessed after launch, not immediately at startup
FormViewBehavior Behavior may vary if the folder’s form view is customized or suppressed via GPO

Office Suite

AN0503

Malicious HTML or script is rendered as a Home Page for a specific Outlook folder. Outlook accesses that folder, loads remote content, and executes embedded JavaScript or ActiveX/COM logic resulting in unauthorized actions or local execution.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) m365:unified Folder configuration updated with external or HTML-formatted Home Page via Set-MailboxFolder
Command Execution (DC0064) m365:messagetrace Inbound email triggering Outlook to auto-access folder tied to malicious Home Page
Mutable Elements
Field Description
AuditPolicyScope Home Page customization may not be audited unless detailed message or folder auditing is enabled
FolderAccessRate Anomalous access to folders not usually interacted with can signal triggering of malicious view
ExternalURLAllowlist Mail clients may restrict remote Home Page content unless domain is explicitly allowed