T1137.005SubTechniquepersistenceagent-callable

T1137.005Outlook Rules

Sub-technique of T1137

Platforms: Windows · Office 365

ATT&CK version: 14.1

What it is

Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules) Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)

ATT&CK tactics· 1

Persistence

References

  1. https://attack.mitre.org/techniques/T1137/005
  2. https://silentbreaksecurity.com/malicious-outlook-rules/
  3. https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
  4. https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
  5. https://github.com/sensepost/notruler
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.