T1137.005 Outlook Rules
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.1
Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.1
| Item | Value |
|---|---|
| ID | T1137.005 |
| Sub-techniques | T1137.001, T1137.002, T1137.003, T1137.004, T1137.005, T1137.006 |
| Tactics | TA0003 |
| Platforms | Office 365, Windows |
| Permissions required | Administrator, User |
| Version | 1.1 |
| Created | 07 November 2019 |
| Last Modified | 15 October 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0358 | Ruler | Ruler can be used to automate the abuse of Outlook Rules to establish persistence.8 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 7 |
| M1051 | Update Software | For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.5 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.6 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
References
-
Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved February 4, 2019. ↩↩
-
Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019. ↩
-
Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021. ↩
-
SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019. ↩
-
Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019. ↩
-
Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019. ↩
-
Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. ↩
-
SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019. ↩