T1137.003 Google Chronicle · YARA-L

Detect Outlook Forms in Google Chronicle

Adversaries abuse Microsoft Outlook custom forms to achieve persistence. Custom forms are stored in the user's mailbox and are loaded when Outlook starts. A malicious form containing VBScript or JScript executes when an adversary sends a specially crafted email to the victim. The Ruler tool automates this technique. Forms are stored in the mailbox itself, making them invisible to standard endpoint file monitoring and surviving OS reinstalls.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.003 Outlook Forms
Canonical reference
https://attack.mitre.org/techniques/T1137/003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule outlook_forms_persistence_t1137_003 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1137.003 Outlook Forms persistence: Outlook spawning shells, Ruler tool use, or Outlook external network connections"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1137.003"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-18"

  events:
    (
      // Branch 1: Outlook spawning shell interpreters (form VBScript/JScript execution)
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.principal.process.file.full_path, `(?i)outlook\.exe`)
      and re.regex($e1.target.process.file.full_path,
        `(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|msiexec|wmic)\.exe`)
    )
    or
    (
      // Branch 2: Ruler tool execution
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.target.process.file.full_path, `(?i)ruler\.exe`)
        or re.regex($e1.target.process.command_line, `(?i)--(forms|homepage|ruler|target)`)
      )
    )
    or
    (
      // Branch 3: Outlook external network connection post-trigger
      $e1.metadata.event_type = "NETWORK_CONNECTION"
      and re.regex($e1.principal.process.file.full_path, `(?i)outlook\.exe`)
      and not net.ip_in_range_cidr($e1.target.ip, "10.0.0.0/8")
      and not net.ip_in_range_cidr($e1.target.ip, "172.16.0.0/12")
      and not net.ip_in_range_cidr($e1.target.ip, "192.168.0.0/16")
      and not net.ip_in_range_cidr($e1.target.ip, "127.0.0.0/8")
      and $e1.target.port in (80, 443, 445, 4444, 8080, 8443)
    )

  condition:
    $e1
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting Outlook Forms (T1137.003) persistence across three detection branches using UDM event model: (1) Outlook process spawning shell interpreters during form VBScript/JScript execution, (2) Ruler attack tool execution with forms-specific flags, (3) Outlook initiating external network connections on suspicious ports post-form trigger.

Data Sources

Chronicle UDM via Google Workspace / Microsoft 365 integrationChronicle Endpoint Detection via CrowdStrike or Carbon Black forwarderChronicle Sysmon log ingestion via BindPlane or direct forwarder

Required Tables

UDM events: PROCESS_LAUNCHUDM events: NETWORK_CONNECTION

False Positives & Tuning

  • Legitimate Outlook integrations with enterprise software (CRM, ERP systems) that register COM automation objects launching cmd.exe or PowerShell as child processes
  • IT-managed Outlook policies that use scripted automation (wscript.exe, cscript.exe) triggered on email receipt for legitimate workflow processing
  • Cloud sync clients integrated into Outlook (OneDrive, SharePoint) that make external HTTPS connections via Outlook's process space on port 443
Download portable Sigma rule (.yml)

Other platforms for T1137.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Test Outlook Child Process Detection (Simulate Form Execution)

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'whoami'. Parent process will be powershell.exe in this simulation (not outlook.exe), but the pattern of Office app spawning cmd.exe is what the detection tests.

  2. Test 2Ruler Tool Form Installation (Controlled Test)

    Expected signal: If actually executed: Sysmon Event ID 1 with Image=ruler.exe, Sysmon Event ID 3 with network connection to Exchange EWS endpoint on port 443. Security Event ID 4624 for EWS authentication.

  3. Test 3Check for Malicious Outlook Forms via PowerShell EWS

    Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to Exchange server on port 443. Security Event ID 4624 for EWS authentication (Kerberos or NTLM).

Last updated: 2026-04-18 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1137.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.002Office TestT1137.004Outlook Home PageT1137.005Outlook RulesT1137.006Add-ins

Related Techniques

T1137Office Application StartupT1137.004Outlook Home PageT1137.005Outlook RulesT1114.002Remote Email CollectionT1059.005Visual BasicT1021.002SMB/Windows Admin Shares

Same Tactic: Persistence

Popular Detections