Skip to content

T1137.003 Outlook Forms

Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.1

Once malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.1

Item Value
ID T1137.003
Sub-techniques T1137.001, T1137.002, T1137.003, T1137.004, T1137.005, T1137.006
Tactics TA0003
Platforms Office 365, Windows
Permissions required Administrator, User
Version 1.1
Created 07 November 2019
Last Modified 16 August 2021

Procedure Examples

ID Name Description
S0358 Ruler Ruler can be used to automate the abuse of Outlook Forms to establish persistence.6


ID Mitigation Description
M1040 Behavior Prevention on Endpoint On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 4
M1051 Update Software For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.1 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.5


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0017 Command Command Execution
DS0009 Process Process Creation