T1137.003 CrowdStrike LogScale · LogScale

Detect Outlook Forms in CrowdStrike LogScale

Adversaries abuse Microsoft Outlook custom forms to achieve persistence. Custom forms are stored in the user's mailbox and are loaded when Outlook starts. A malicious form containing VBScript or JScript executes when an adversary sends a specially crafted email to the victim. The Ruler tool automates this technique. Forms are stored in the mailbox itself, making them invisible to standard endpoint file monitoring and surviving OS reinstalls.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.003 Outlook Forms
Canonical reference
https://attack.mitre.org/techniques/T1137/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1137.003 - Outlook Forms Persistence Detection
// Branch 1: Outlook spawning suspicious child processes
#repo=base_sensor
| #event_simpleName=ProcessRollup2
| ParentBaseFileName = "outlook.exe"
| ImageFileName = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|msiexec|wmic)\.exe$/
| eval DetectionType = "Outlook_Spawned_Shell"
| table([@timestamp, ComputerName, UserName, DetectionType, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine])

OR

// Branch 2: Ruler tool execution
#repo=base_sensor
| #event_simpleName=ProcessRollup2
| (
    ImageFileName = /(?i)ruler\.exe$/
    OR CommandLine = /(?i)--(forms|homepage|ruler|target)/
  )
| eval DetectionType = "Ruler_Tool_Detected"
| table([@timestamp, ComputerName, UserName, DetectionType, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine])

OR

// Branch 3: Outlook making external network connections on suspicious ports
#repo=base_sensor
| #event_simpleName=NetworkConnectIP4
| LocalAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| ImageFileName = /(?i)outlook\.exe$/
| RemotePort in [80, 443, 445, 4444, 8080, 8443]
| eval DetectionType = "Outlook_External_Connection"
| table([@timestamp, ComputerName, UserName, DetectionType, RemoteAddressIP4, RemotePort, ImageFileName, CommandLine])

| sort(field=@timestamp, order=desc)
high severity high confidence

CrowdStrike LogScale (CQL) detection for T1137.003 Outlook Forms persistence using Falcon sensor events. Queries ProcessRollup2 events for Outlook spawning shell interpreters and Ruler tool execution, and NetworkConnectIP4 events for Outlook initiating external connections on suspicious ports consistent with form payload C2 callback.

Data Sources

CrowdStrike Falcon Endpoint ProtectionCrowdStrike Falcon Insight XDRHumio/LogScale with Falcon sensor data

Required Tables

ProcessRollup2NetworkConnectIP4

False Positives & Tuning

  • Enterprise Outlook plugins deployed via Group Policy that legitimately execute PowerShell or cmd.exe for email processing automation (e.g., automatic PDF generation, ticket creation scripts)
  • Penetration testing or red team exercises using Ruler against Exchange without pre-configured exclusions in Falcon policies
  • Cloud-connected productivity tools (e.g., Microsoft Teams, Zoom Outlook plugin) that spawn helper processes or initiate external connections via Outlook's process context
Download portable Sigma rule (.yml)

Other platforms for T1137.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Test Outlook Child Process Detection (Simulate Form Execution)

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'whoami'. Parent process will be powershell.exe in this simulation (not outlook.exe), but the pattern of Office app spawning cmd.exe is what the detection tests.

  2. Test 2Ruler Tool Form Installation (Controlled Test)

    Expected signal: If actually executed: Sysmon Event ID 1 with Image=ruler.exe, Sysmon Event ID 3 with network connection to Exchange EWS endpoint on port 443. Security Event ID 4624 for EWS authentication.

  3. Test 3Check for Malicious Outlook Forms via PowerShell EWS

    Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to Exchange server on port 443. Security Event ID 4624 for EWS authentication (Kerberos or NTLM).

Last updated: 2026-04-18 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1137.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.002Office TestT1137.004Outlook Home PageT1137.005Outlook RulesT1137.006Add-ins

Related Techniques

T1137Office Application StartupT1137.004Outlook Home PageT1137.005Outlook RulesT1114.002Remote Email CollectionT1059.005Visual BasicT1021.002SMB/Windows Admin Shares

Same Tactic: Persistence

Popular Detections