Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
Once malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.004 | Outlook Home Page |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1137.004 | Outlook Home Page |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, exploitation via Outlook Home Page can be prevented by applying Microsoft KB4011162 to systems, which removes the legacy Home Page feature.
References
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1137.004 | Outlook Home Page |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1137.004 | Outlook Home Page | |
| SC-18 | Mobile Code | mitigates | T1137.004 | Outlook Home Page | |
| SC-44 | Detonation Chambers | mitigates | T1137.004 | Outlook Home Page | |
| SI-08 | Spam Protection | mitigates | T1137.004 | Outlook Home Page | |
| SI-02 | Flaw Remediation | mitigates | T1137.004 | Outlook Home Page | |
| CM-02 | Baseline Configuration | mitigates | T1137.004 | Outlook Home Page | |
| AC-06 | Least Privilege | mitigates | T1137.004 | Outlook Home Page |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1137.004 | Outlook Home Page |