T1137.003 Outlook Forms Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1137.003 — Outlook Forms persistence detection
// Forms are stored in the mailbox, but execution leaves process traces
// Part 1: Detect Outlook spawning unexpected child processes (form execution)
let OutlookChildren = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "outlook.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
                      "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
                      "msiexec.exe", "wmic.exe", "explorer.exe")
| extend DetectionType = "Outlook Child Process"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect Ruler tool usage (automates Outlook forms attack)
let RulerActivity = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("ruler", "--forms", "--homepage", "--target", "--ruler")
    or FileName =~ "ruler.exe"
| extend DetectionType = "Ruler Tool Execution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect network connections from Outlook to Exchange/MAPI after form trigger
let OutlookPostExec = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "outlook.exe"
| where RemotePort in (80, 443, 445, 4444, 8080, 8443)
| where RemoteIPType == "Public"
| extend DetectionType = "Outlook External Network Connection"
| project Timestamp, DeviceName, AccountName, RemoteIP, RemotePort, RemoteUrl,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union OutlookChildren, RulerActivity, OutlookPostExec
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate Outlook add-ins or plugins that spawn helper processes (e.g., CRM integrations, document management systems)
IT helpdesk tools that connect to Exchange via Outlook for automation purposes
Security awareness training platforms that send test phishing emails (should not cause child processes in normal operation)
Outlook integration with Teams, Slack, or other collaboration tools spawning child processes for notifications

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
    EventCode=1 AND match(ParentImage, "(?i)outlook\.exe") AND
      match(Image, "(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|msiexec|wmic)\.exe"),
      "Outlook_Spawned_Shell",
    EventCode=1 AND (match(CommandLine, "(?i)(--forms|--homepage|--ruler)") OR match(Image, "(?i)ruler\.exe")),
      "Ruler_Tool_Detected",
    EventCode=3 AND match(Image, "(?i)outlook\.exe") AND
      NOT match(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)"),
      "Outlook_External_Connection",
    true(), null()
  )
| where isnotnull(detection_type)
| eval indicator=case(
    EventCode=1, CommandLine,
    EventCode=3, DestinationIp.":".DestinationPort,
    true(), "-"
  )
| table _time, host, User, detection_type, indicator, Image, CommandLine, ParentImage, ParentCommandLine
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Sysmon Event ID 1, 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate Outlook add-ins spawning helper processes (enumerate and allowlist by parent command line)
Exchange Online hybrid connectors initiating connections that pass through Outlook
IT automation tools using MAPI connections via Outlook client

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start"
    and process.parent.name : "outlook.exe"
    and process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
                         "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
                         "msiexec.exe", "wmic.exe", "explorer.exe")]
OR
[process where event.type == "start"
  and (
    process.name : "ruler.exe"
    or process.args : ("--forms", "--homepage", "--ruler", "--target")
  )]
OR
[network where event.type == "connection"
  and process.name : "outlook.exe"
  and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")
  and destination.port in (80, 443, 445, 4444, 8080, 8443)]

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent with Endpoint integration

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* winlogbeat-*

False Positives

Legitimate Outlook add-ins or plugins that spawn helper processes (e.g., PDF readers, virus scanners integrated with Outlook) may generate false positives on the child process detection branch
Security tools such as email gateways, DLP agents, or Outlook integrations that connect to external SaaS services may trigger the network connection branch for ports 80/443
IT administration tools that use Ruler-like command-line flags (--target, --forms) for legitimate Exchange management tasks

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  destinationip,
  destinationport,
  QIDNAME(qid) AS event_name,
  "ParentImage" AS parent_image,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  CASE
    WHEN LOWER("ParentImage") LIKE '%outlook.exe%'
      AND (LOWER("Image") LIKE '%cmd.exe%'
        OR LOWER("Image") LIKE '%powershell.exe%'
        OR LOWER("Image") LIKE '%wscript.exe%'
        OR LOWER("Image") LIKE '%cscript.exe%'
        OR LOWER("Image") LIKE '%mshta.exe%'
        OR LOWER("Image") LIKE '%rundll32.exe%'
        OR LOWER("Image") LIKE '%regsvr32.exe%'
        OR LOWER("Image") LIKE '%certutil.exe%'
        OR LOWER("Image") LIKE '%msiexec.exe%'
        OR LOWER("Image") LIKE '%wmic.exe%')
    THEN 'Outlook_Spawned_Shell'
    WHEN LOWER("Image") LIKE '%ruler.exe%'
      OR LOWER("CommandLine") LIKE '%--%forms%'
      OR LOWER("CommandLine") LIKE '%--%homepage%'
      OR LOWER("CommandLine") LIKE '%--%ruler%'
    THEN 'Ruler_Tool_Detected'
    WHEN LOWER("ParentImage") LIKE '%outlook.exe%'
      AND destinationport IN (80, 443, 445, 4444, 8080, 8443)
      AND destinationip NOT LIKE '10.%'
      AND destinationip NOT LIKE '192.168.%'
      AND destinationip NOT LIKE '172.16.%'
      AND destinationip NOT LIKE '127.%'
    THEN 'Outlook_External_Connection'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 366)
  AND starttime > NOW() - 86400000
  AND (
    (LOWER("ParentImage") LIKE '%outlook.exe%'
      AND (LOWER("Image") LIKE '%cmd.exe%'
        OR LOWER("Image") LIKE '%powershell.exe%'
        OR LOWER("Image") LIKE '%wscript.exe%'
        OR LOWER("Image") LIKE '%cscript.exe%'
        OR LOWER("Image") LIKE '%mshta.exe%'
        OR LOWER("Image") LIKE '%rundll32.exe%'
        OR LOWER("Image") LIKE '%regsvr32.exe%'
        OR LOWER("Image") LIKE '%certutil.exe%'
        OR LOWER("Image") LIKE '%msiexec.exe%'
        OR LOWER("Image") LIKE '%wmic.exe%'))
    OR (LOWER("Image") LIKE '%ruler.exe%'
        OR LOWER("CommandLine") LIKE '%--%forms%'
        OR LOWER("CommandLine") LIKE '%--%homepage%'
        OR LOWER("CommandLine") LIKE '%--%ruler%')
    OR (LOWER("ParentImage") LIKE '%outlook.exe%'
        AND destinationport IN (80, 443, 445, 4444, 8080, 8443)
        AND destinationip NOT LIKE '10.%'
        AND destinationip NOT LIKE '192.168.%'
        AND destinationip NOT LIKE '172.16.%'
        AND destinationip NOT LIKE '127.%')
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

QRadar Windows Security Event Log DSM QRadar Microsoft Sysmon DSM QRadar Microsoft Windows DSM

Required Tables

events

False Positives

Legitimate third-party Outlook add-ins (e.g., DocuSign, Salesforce, Zoom plugins) that launch helper executables as child processes of outlook.exe
Corporate email security scanners or CASB agents that intercept Outlook network traffic and appear as Outlook-originated connections to external IPs
Penetration testing tools and red team engagements using Ruler in authorized assessments without exclusion rules configured in QRadar

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| json field=_raw "EventID" as event_id nodrop
| json field=_raw "ParentImage" as parent_image nodrop
| json field=_raw "Image" as process_image nodrop
| json field=_raw "CommandLine" as command_line nodrop
| json field=_raw "DestinationIp" as dest_ip nodrop
| json field=_raw "DestinationPort" as dest_port nodrop
| json field=_raw "User" as user nodrop
| json field=_raw "Computer" as host nodrop
| where event_id in ("1", "3")
| eval parent_image_lower = toLowerCase(parent_image)
| eval process_image_lower = toLowerCase(process_image)
| eval command_lower = toLowerCase(command_line)
| eval is_outlook_child = if(
    parent_image_lower matches "*outlook.exe*"
    AND (process_image_lower matches "*cmd.exe*"
      OR process_image_lower matches "*powershell.exe*"
      OR process_image_lower matches "*wscript.exe*"
      OR process_image_lower matches "*cscript.exe*"
      OR process_image_lower matches "*mshta.exe*"
      OR process_image_lower matches "*rundll32.exe*"
      OR process_image_lower matches "*regsvr32.exe*"
      OR process_image_lower matches "*certutil.exe*"
      OR process_image_lower matches "*msiexec.exe*"
      OR process_image_lower matches "*wmic.exe*"),
    true(), false())
| eval is_ruler = if(
    process_image_lower matches "*ruler.exe*"
    OR command_lower matches "*--forms*"
    OR command_lower matches "*--homepage*"
    OR command_lower matches "*--ruler*",
    true(), false())
| eval is_outlook_net = if(
    event_id = "3"
    AND parent_image_lower matches "*outlook.exe*"
    AND dest_port in ("80", "443", "445", "4444", "8080", "8443")
    AND !dest_ip matches "10.*"
    AND !dest_ip matches "192.168.*"
    AND !dest_ip matches "172.16.*"
    AND !dest_ip matches "172.17.*"
    AND !dest_ip matches "172.18.*"
    AND !dest_ip matches "172.19.*"
    AND !dest_ip matches "172.2*"
    AND !dest_ip matches "172.30.*"
    AND !dest_ip matches "172.31.*"
    AND !dest_ip matches "127.*",
    true(), false())
| where is_outlook_child OR is_ruler OR is_outlook_net
| eval detection_type = if(is_outlook_child, "Outlook_Spawned_Shell",
    if(is_ruler, "Ruler_Tool_Detected",
      if(is_outlook_net, "Outlook_External_Connection", "Unknown")))
| fields _messageTime, host, user, detection_type, process_image, command_line, parent_image, dest_ip, dest_port
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Sysmon Source Sumo Logic Windows Security Source Sumo Logic Installed Collector with Windows Event Log Source

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Outlook COM add-ins that legitimately spawn cmd.exe or PowerShell for scripted integrations (e.g., custom email processing workflows, ticketing system integrations)
Security awareness training platforms that simulate phishing by sending specially crafted emails that trigger benign Outlook child processes
Network monitoring or DLP agents running in the context of outlook.exe making health-check connections to external SaaS endpoints on port 443

Google Chronicle / SecOps

yaral

rule outlook_forms_persistence_t1137_003 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1137.003 Outlook Forms persistence: Outlook spawning shells, Ruler tool use, or Outlook external network connections"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1137.003"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-18"

  events:
    (
      // Branch 1: Outlook spawning shell interpreters (form VBScript/JScript execution)
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.principal.process.file.full_path, `(?i)outlook\.exe`)
      and re.regex($e1.target.process.file.full_path,
        `(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|msiexec|wmic)\.exe`)
    )
    or
    (
      // Branch 2: Ruler tool execution
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.target.process.file.full_path, `(?i)ruler\.exe`)
        or re.regex($e1.target.process.command_line, `(?i)--(forms|homepage|ruler|target)`)
      )
    )
    or
    (
      // Branch 3: Outlook external network connection post-trigger
      $e1.metadata.event_type = "NETWORK_CONNECTION"
      and re.regex($e1.principal.process.file.full_path, `(?i)outlook\.exe`)
      and not net.ip_in_range_cidr($e1.target.ip, "10.0.0.0/8")
      and not net.ip_in_range_cidr($e1.target.ip, "172.16.0.0/12")
      and not net.ip_in_range_cidr($e1.target.ip, "192.168.0.0/16")
      and not net.ip_in_range_cidr($e1.target.ip, "127.0.0.0/8")
      and $e1.target.port in (80, 443, 445, 4444, 8080, 8443)
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Chronicle UDM via Google Workspace / Microsoft 365 integration Chronicle Endpoint Detection via CrowdStrike or Carbon Black forwarder Chronicle Sysmon log ingestion via BindPlane or direct forwarder

Required Tables

UDM events: PROCESS_LAUNCH UDM events: NETWORK_CONNECTION

False Positives

Legitimate Outlook integrations with enterprise software (CRM, ERP systems) that register COM automation objects launching cmd.exe or PowerShell as child processes
IT-managed Outlook policies that use scripted automation (wscript.exe, cscript.exe) triggered on email receipt for legitimate workflow processing
Cloud sync clients integrated into Outlook (OneDrive, SharePoint) that make external HTTPS connections via Outlook's process space on port 443

CrowdStrike LogScale (CQL)

cql

// T1137.003 - Outlook Forms Persistence Detection
// Branch 1: Outlook spawning suspicious child processes
#repo=base_sensor
| #event_simpleName=ProcessRollup2
| ParentBaseFileName = "outlook.exe"
| ImageFileName = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|msiexec|wmic)\.exe$/
| eval DetectionType = "Outlook_Spawned_Shell"
| table([@timestamp, ComputerName, UserName, DetectionType, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine])

OR

// Branch 2: Ruler tool execution
#repo=base_sensor
| #event_simpleName=ProcessRollup2
| (
    ImageFileName = /(?i)ruler\.exe$/
    OR CommandLine = /(?i)--(forms|homepage|ruler|target)/
  )
| eval DetectionType = "Ruler_Tool_Detected"
| table([@timestamp, ComputerName, UserName, DetectionType, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine])

OR

// Branch 3: Outlook making external network connections on suspicious ports
#repo=base_sensor
| #event_simpleName=NetworkConnectIP4
| LocalAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| ImageFileName = /(?i)outlook\.exe$/
| RemotePort in [80, 443, 445, 4444, 8080, 8443]
| eval DetectionType = "Outlook_External_Connection"
| table([@timestamp, ComputerName, UserName, DetectionType, RemoteAddressIP4, RemotePort, ImageFileName, CommandLine])

| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon Insight XDR Humio/LogScale with Falcon sensor data

Required Tables

ProcessRollup2 NetworkConnectIP4

False Positives

Enterprise Outlook plugins deployed via Group Policy that legitimately execute PowerShell or cmd.exe for email processing automation (e.g., automatic PDF generation, ticket creation scripts)
Penetration testing or red team exercises using Ruler against Exchange without pre-configured exclusions in Falcon policies
Cloud-connected productivity tools (e.g., Microsoft Teams, Zoom Outlook plugin) that spawn helper processes or initiate external connections via Outlook's process context

Outlook Forms

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections