1. Home
  2. Techniques
  3. Enterprise
  4. Office Application Startup
  5. Outlook Forms

Office Application Startup: Outlook Forms

ID Name
T1137.001 Office Template Macros
T1137.002 Office Test
T1137.003 Outlook Forms
T1137.004 Outlook Home Page
T1137.005 Outlook Rules
T1137.006 Add-ins

Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.[1]

Once malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.[1]

ID: T1137.003
Sub-technique of:  T1137
Tactic: Persistence
Platforms: Office Suite, Windows
Version: 1.2
Created: 07 November 2019
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0358 Ruler

Ruler can be used to automate the abuse of Outlook Forms to establish persistence.[2]

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. [3]
M1051 Update Software

For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[1] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[4]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0029 Detect Persistence via Outlook Custom Forms Triggered by Malicious Email AN0085

Adversary uses a tool like Ruler to insert a malicious custom form into the user's Outlook mailbox. The form is designed to auto-execute on Outlook startup or on receipt of a specially crafted email. This results in child processes launched from outlook.exe and possibly network connections or payload loading.
AN0086

Outlook form execution upon message receipt or client launch results in automated code execution within user session. Form definitions deviate from standard templates and include script logic or COM object calls embedded in form fields.

References

  1. Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019.
  2. SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019.
  1. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  2. Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019.