Adversary uses a tool like Ruler to configure a malicious Outlook folder Home Page that loads a remote or embedded HTML payload upon folder interaction. Execution chain begins with Outlook launching, a specific folder being accessed, and a suspicious child process being spawned or COM-based execution invoked.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Application Log Content (DC0038) | WinEventLog:Application | Outlook logs indicating failure to load or render HTML page in Home Page view |
| Command Execution (DC0064) | WinEventLog:PowerShell | Execution of PowerShell script to enumerate or remove malicious Home Page folder config |
| Field | Description |
|---|---|
| TargetFolder | Home Page can be configured on any folder like Calendar, Inbox, or custom folders |
| HTMLPayloadLocation | The Home Page URL may point to internal or external content, hosted on trusted or unknown domains |
| ChildProcessName | Execution may result in launch of scripting hosts (e.g., mshta.exe, wscript.exe) from outlook.exe |
| TimeWindow | Execution may occur only when the specific folder is accessed after launch, not immediately at startup |
| FormViewBehavior | Behavior may vary if the folder's form view is customized or suppressed via GPO |
Malicious HTML or script is rendered as a Home Page for a specific Outlook folder. Outlook accesses that folder, loads remote content, and executes embedded JavaScript or ActiveX/COM logic resulting in unauthorized actions or local execution.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | Folder configuration updated with external or HTML-formatted Home Page via Set-MailboxFolder |
| Command Execution (DC0064) | m365:messagetrace | Inbound email triggering Outlook to auto-access folder tied to malicious Home Page |
| Field | Description |
|---|---|
| AuditPolicyScope | Home Page customization may not be audited unless detailed message or folder auditing is enabled |
| FolderAccessRate | Anomalous access to folders not usually interacted with can signal triggering of malicious view |
| ExternalURLAllowlist | Mail clients may restrict remote Home Page content unless domain is explicitly allowed |