Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
Once malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-06 | Least Privilege | Protects | T1137.003 | Outlook Forms |
CM-02 | Baseline Configuration | Protects | T1137.003 | Outlook Forms |
CM-06 | Configuration Settings | Protects | T1137.003 | Outlook Forms |
SC-18 | Mobile Code | Protects | T1137.003 | Outlook Forms |
SC-44 | Detonation Chambers | Protects | T1137.003 | Outlook Forms |
SI-02 | Flaw Remediation | Protects | T1137.003 | Outlook Forms |
SI-08 | Spam Protection | Protects | T1137.003 | Outlook Forms |