Detect Outlook Forms in Sumo Logic CSE
Adversaries abuse Microsoft Outlook custom forms to achieve persistence. Custom forms are stored in the user's mailbox and are loaded when Outlook starts. A malicious form containing VBScript or JScript executes when an adversary sends a specially crafted email to the victim. The Ruler tool automates this technique. Forms are stored in the mailbox itself, making them invisible to standard endpoint file monitoring and surviving OS reinstalls.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Sub-technique
- T1137.003 Outlook Forms
- Canonical reference
- https://attack.mitre.org/techniques/T1137/003/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| json field=_raw "EventID" as event_id nodrop
| json field=_raw "ParentImage" as parent_image nodrop
| json field=_raw "Image" as process_image nodrop
| json field=_raw "CommandLine" as command_line nodrop
| json field=_raw "DestinationIp" as dest_ip nodrop
| json field=_raw "DestinationPort" as dest_port nodrop
| json field=_raw "User" as user nodrop
| json field=_raw "Computer" as host nodrop
| where event_id in ("1", "3")
| eval parent_image_lower = toLowerCase(parent_image)
| eval process_image_lower = toLowerCase(process_image)
| eval command_lower = toLowerCase(command_line)
| eval is_outlook_child = if(
parent_image_lower matches "*outlook.exe*"
AND (process_image_lower matches "*cmd.exe*"
OR process_image_lower matches "*powershell.exe*"
OR process_image_lower matches "*wscript.exe*"
OR process_image_lower matches "*cscript.exe*"
OR process_image_lower matches "*mshta.exe*"
OR process_image_lower matches "*rundll32.exe*"
OR process_image_lower matches "*regsvr32.exe*"
OR process_image_lower matches "*certutil.exe*"
OR process_image_lower matches "*msiexec.exe*"
OR process_image_lower matches "*wmic.exe*"),
true(), false())
| eval is_ruler = if(
process_image_lower matches "*ruler.exe*"
OR command_lower matches "*--forms*"
OR command_lower matches "*--homepage*"
OR command_lower matches "*--ruler*",
true(), false())
| eval is_outlook_net = if(
event_id = "3"
AND parent_image_lower matches "*outlook.exe*"
AND dest_port in ("80", "443", "445", "4444", "8080", "8443")
AND !dest_ip matches "10.*"
AND !dest_ip matches "192.168.*"
AND !dest_ip matches "172.16.*"
AND !dest_ip matches "172.17.*"
AND !dest_ip matches "172.18.*"
AND !dest_ip matches "172.19.*"
AND !dest_ip matches "172.2*"
AND !dest_ip matches "172.30.*"
AND !dest_ip matches "172.31.*"
AND !dest_ip matches "127.*",
true(), false())
| where is_outlook_child OR is_ruler OR is_outlook_net
| eval detection_type = if(is_outlook_child, "Outlook_Spawned_Shell",
if(is_ruler, "Ruler_Tool_Detected",
if(is_outlook_net, "Outlook_External_Connection", "Unknown")))
| fields _messageTime, host, user, detection_type, process_image, command_line, parent_image, dest_ip, dest_port
| sort by _messageTime descSumo Logic CSE query detecting Outlook Forms (T1137.003) persistence indicators using Sysmon Event IDs 1 (process create) and 3 (network connect). Identifies Outlook spawning shell interpreters, Ruler tool execution patterns, and Outlook-initiated external network connections consistent with form payload delivery.
Data Sources
Required Tables
False Positives & Tuning
- Outlook COM add-ins that legitimately spawn cmd.exe or PowerShell for scripted integrations (e.g., custom email processing workflows, ticketing system integrations)
- Security awareness training platforms that simulate phishing by sending specially crafted emails that trigger benign Outlook child processes
- Network monitoring or DLP agents running in the context of outlook.exe making health-check connections to external SaaS endpoints on port 443
Other platforms for T1137.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Test Outlook Child Process Detection (Simulate Form Execution)
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'whoami'. Parent process will be powershell.exe in this simulation (not outlook.exe), but the pattern of Office app spawning cmd.exe is what the detection tests.
- Test 2Ruler Tool Form Installation (Controlled Test)
Expected signal: If actually executed: Sysmon Event ID 1 with Image=ruler.exe, Sysmon Event ID 3 with network connection to Exchange EWS endpoint on port 443. Security Event ID 4624 for EWS authentication.
- Test 3Check for Malicious Outlook Forms via PowerShell EWS
Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to Exchange server on port 443. Security Event ID 4624 for EWS authentication (Kerberos or NTLM).
References (6)
- https://attack.mitre.org/techniques/T1137/003/
- https://sensepost.com/blog/2017/outlook-forms-and-shells/
- https://github.com/sensepost/ruler
- https://github.com/sensepost/notruler
- https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.003/T1137.003.md
Unlock Pro Content
Get the full detection package for T1137.003 including response playbook, investigation guide, and atomic red team tests.