Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
Once malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1137.003 | Outlook Forms |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started.
References
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.003 | Outlook Forms |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1137.003 | Outlook Forms |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, exploitation via Outlook Forms can be mitigated by applying Microsoft KB4011091 which disables custom forms by default.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1137.003 | Outlook Forms | |
| SC-18 | Mobile Code | mitigates | T1137.003 | Outlook Forms | |
| SC-44 | Detonation Chambers | mitigates | T1137.003 | Outlook Forms | |
| SI-08 | Spam Protection | mitigates | T1137.003 | Outlook Forms | |
| SI-02 | Flaw Remediation | mitigates | T1137.003 | Outlook Forms | |
| CM-02 | Baseline Configuration | mitigates | T1137.003 | Outlook Forms | |
| AC-06 | Least Privilege | mitigates | T1137.003 | Outlook Forms |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1137.003 | Outlook Forms |