Detect Outlook Forms in Splunk
Adversaries abuse Microsoft Outlook custom forms to achieve persistence. Custom forms are stored in the user's mailbox and are loaded when Outlook starts. A malicious form containing VBScript or JScript executes when an adversary sends a specially crafted email to the victim. The Ruler tool automates this technique. Forms are stored in the mailbox itself, making them invisible to standard endpoint file monitoring and surviving OS reinstalls.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Sub-technique
- T1137.003 Outlook Forms
- Canonical reference
- https://attack.mitre.org/techniques/T1137/003/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
EventCode=1 AND match(ParentImage, "(?i)outlook\.exe") AND
match(Image, "(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|msiexec|wmic)\.exe"),
"Outlook_Spawned_Shell",
EventCode=1 AND (match(CommandLine, "(?i)(--forms|--homepage|--ruler)") OR match(Image, "(?i)ruler\.exe")),
"Ruler_Tool_Detected",
EventCode=3 AND match(Image, "(?i)outlook\.exe") AND
NOT match(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)"),
"Outlook_External_Connection",
true(), null()
)
| where isnotnull(detection_type)
| eval indicator=case(
EventCode=1, CommandLine,
EventCode=3, DestinationIp.":".DestinationPort,
true(), "-"
)
| table _time, host, User, detection_type, indicator, Image, CommandLine, ParentImage, ParentCommandLine
| sort - _timeDetects Outlook Forms persistence indicators via Sysmon. EventCode 1 catches Outlook spawning shell processes (form code execution) and Ruler tool activity. EventCode 3 catches Outlook making unexpected outbound connections to public IPs (potential C2 initiated by form receiving trigger email). The Ruler tool detection fires on its distinctive command-line flags (--forms, --homepage, --ruler).
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate Outlook add-ins spawning helper processes (enumerate and allowlist by parent command line)
- Exchange Online hybrid connectors initiating connections that pass through Outlook
- IT automation tools using MAPI connections via Outlook client
Other platforms for T1137.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Test Outlook Child Process Detection (Simulate Form Execution)
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'whoami'. Parent process will be powershell.exe in this simulation (not outlook.exe), but the pattern of Office app spawning cmd.exe is what the detection tests.
- Test 2Ruler Tool Form Installation (Controlled Test)
Expected signal: If actually executed: Sysmon Event ID 1 with Image=ruler.exe, Sysmon Event ID 3 with network connection to Exchange EWS endpoint on port 443. Security Event ID 4624 for EWS authentication.
- Test 3Check for Malicious Outlook Forms via PowerShell EWS
Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to Exchange server on port 443. Security Event ID 4624 for EWS authentication (Kerberos or NTLM).
References (6)
- https://attack.mitre.org/techniques/T1137/003/
- https://sensepost.com/blog/2017/outlook-forms-and-shells/
- https://github.com/sensepost/ruler
- https://github.com/sensepost/notruler
- https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.003/T1137.003.md
Unlock Pro Content
Get the full detection package for T1137.003 including response playbook, investigation guide, and atomic red team tests.