Office Application Startup: Outlook Rules (T1137.005)

Tactic: Persistence · Platforms: Windows, Office Suite

The interactive view maps 1 detection strategy, 2 mitigations, 1 software entry to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Office Application Startup (T1137).

Overview

Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.

Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.

Explore