Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CM-2 | Baseline Configuration | Protects | T1137.005 | Outlook Rules | |
SI-2 | Flaw Remediation | Protects | T1137.005 | Outlook Rules |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
azure_sentinel | Azure Sentinel | technique_scores | T1137.005 | Outlook Rules |
Comments
The following Azure Sentinel Analytics queries can identify potentially malicious use of Outlook rules: "Office policy tampering", "Malicious Inbox Rule" which can detect rules intended to delete emails that contain certain keywords (generally meant to warn compromised users about adversary behaviors), and "Mail redirect via ExO transport rule" (potentially to an adversary mailbox configured to collect mail).
References
|