MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1137.004: Outlook Home Page

Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.

Once malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_persistence: PT-CR-2061: Outlook_Home_Page_Changes: The registry key responsible for presenting the Outlook mail folder home page has been changed. This allows an attacker to save and execute code

Detection

IDDS0015Data source and componentApplication Log: Application Log ContentDescription

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system.

Mitigation

IDM1051NameUpdate SoftwareDescription

For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine. Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.

IDM1040NameBehavior Prevention on EndpointDescription

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk.