ID | Name |
---|---|
T1137.001 | Office Template Macros |
T1137.002 | Office Test |
T1137.003 | Outlook Forms |
T1137.004 | Outlook Home Page |
T1137.005 | Outlook Rules |
T1137.006 | Add-ins |
Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.[1]
Once malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.[1]
ID | Name | Description |
---|---|---|
S0358 | Ruler |
Ruler can be used to automate the abuse of Outlook Forms to establish persistence.[2] |
ID | Mitigation | Description |
---|---|---|
M1040 | Behavior Prevention on Endpoint |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. [3] |
M1051 | Update Software |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[1] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[4] |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0015 | Application Log | Application Log Content |
Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft Outlook forms to obtain persistence on a compromised system. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[5] |
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.[6] |
DS0009 | Process | Process Creation |
Monitor newly executed processes that may abuse Microsoft Outlook forms to obtain persistence on a compromised system. |