Detect Outlook Forms in Elastic Security
Adversaries abuse Microsoft Outlook custom forms to achieve persistence. Custom forms are stored in the user's mailbox and are loaded when Outlook starts. A malicious form containing VBScript or JScript executes when an adversary sends a specially crafted email to the victim. The Ruler tool automates this technique. Forms are stored in the mailbox itself, making them invisible to standard endpoint file monitoring and surviving OS reinstalls.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Sub-technique
- T1137.003 Outlook Forms
- Canonical reference
- https://attack.mitre.org/techniques/T1137/003/
Elastic Detection Query
sequence by host.id with maxspan=5m
[process where event.type == "start"
and process.parent.name : "outlook.exe"
and process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
"msiexec.exe", "wmic.exe", "explorer.exe")]
OR
[process where event.type == "start"
and (
process.name : "ruler.exe"
or process.args : ("--forms", "--homepage", "--ruler", "--target")
)]
OR
[network where event.type == "connection"
and process.name : "outlook.exe"
and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")
and destination.port in (80, 443, 445, 4444, 8080, 8443)]Detects T1137.003 Outlook Forms persistence via three signals: (1) Outlook spawning suspicious child processes indicative of embedded VBScript/JScript form execution, (2) Ruler tool execution used to automate Outlook forms attacks, and (3) Outlook initiating external network connections on suspicious ports after form trigger.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Outlook add-ins or plugins that spawn helper processes (e.g., PDF readers, virus scanners integrated with Outlook) may generate false positives on the child process detection branch
- Security tools such as email gateways, DLP agents, or Outlook integrations that connect to external SaaS services may trigger the network connection branch for ports 80/443
- IT administration tools that use Ruler-like command-line flags (--target, --forms) for legitimate Exchange management tasks
Other platforms for T1137.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Test Outlook Child Process Detection (Simulate Form Execution)
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'whoami'. Parent process will be powershell.exe in this simulation (not outlook.exe), but the pattern of Office app spawning cmd.exe is what the detection tests.
- Test 2Ruler Tool Form Installation (Controlled Test)
Expected signal: If actually executed: Sysmon Event ID 1 with Image=ruler.exe, Sysmon Event ID 3 with network connection to Exchange EWS endpoint on port 443. Security Event ID 4624 for EWS authentication.
- Test 3Check for Malicious Outlook Forms via PowerShell EWS
Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to Exchange server on port 443. Security Event ID 4624 for EWS authentication (Kerberos or NTLM).
References (6)
- https://attack.mitre.org/techniques/T1137/003/
- https://sensepost.com/blog/2017/outlook-forms-and-shells/
- https://github.com/sensepost/ruler
- https://github.com/sensepost/notruler
- https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.003/T1137.003.md
Unlock Pro Content
Get the full detection package for T1137.003 including response playbook, investigation guide, and atomic red team tests.