T1137.003SubTechniquepersistenceagent-callable

T1137.003Outlook Forms

Sub-technique of T1137

Platforms: Windows · Office 365

ATT&CK version: 14.1

What it is

Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms) Once malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms)

ATT&CK tactics· 1

Persistence

References

  1. https://attack.mitre.org/techniques/T1137/003
  2. https://sensepost.com/blog/2017/outlook-forms-and-shells/
  3. https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
  4. https://github.com/sensepost/notruler
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.