Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-6 | Least Privilege | Protects | T1137.005 | Outlook Rules |
| CM-2 | Baseline Configuration | Protects | T1137.005 | Outlook Rules |
| CM-6 | Configuration Settings | Protects | T1137.005 | Outlook Rules |
| SC-18 | Mobile Code | Protects | T1137.005 | Outlook Rules |
| SC-44 | Detonation Chambers | Protects | T1137.005 | Outlook Rules |
| SI-2 | Flaw Remediation | Protects | T1137.005 | Outlook Rules |
| SI-8 | Spam Protection | Protects | T1137.005 | Outlook Rules |
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1137.005 | Office Application Startup: Outlook Rules |