- Home
- Techniques
- Enterprise
- Office Application Startup
- Outlook Rules
Office Application Startup: Outlook Rules
Other sub-techniques of Office Application Startup (6)
| ID | Name |
|---|---|
| T1137.001 | Office Template Macros |
| T1137.002 | Office Test |
| T1137.003 | Outlook Forms |
| T1137.004 | Outlook Home Page |
| T1137.005 | Outlook Rules |
| T1137.006 | Add-ins |
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.[1]
Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.[1]
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0358 | Ruler |
Ruler can be used to automate the abuse of Outlook Rules to establish persistence.[2] |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. [3] |
| M1051 | Update Software |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[4] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[5] |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.[6] This PowerShell script is ineffective in gathering rules with modified PRPR_RULE_MSG_NAME and PR_RULE_MSG_PROVIDER properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.[7] SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[8]
Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
References
- Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved February 4, 2019.
- SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019.
- Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
- Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019.
- Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019.
- Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019.
- Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021.
- SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.