T1137.004 Outlook Home Page Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1137.004 — Outlook Home Page persistence detection
// The Home Page URL is stored per-folder in the mailbox; execution leaves browser/script engine traces
// Part 1: Detect Outlook spawning browser-related or scripting processes (Home Page execution)
let OutlookHomePage = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "outlook.exe"
| where FileName in~ ("iexplore.exe", "msedge.exe", "wscript.exe", "cscript.exe",
                      "mshta.exe", "powershell.exe", "cmd.exe", "rundll32.exe")
| extend DetectionType = "Outlook_Home_Page_Child_Proc"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect registry keys for Outlook folder Home Page URL settings
let OutlookHomepageReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_all ("Outlook", "HomePage") or
        (RegistryKey has "Outlook" and RegistryValueName =~ "URL")
| extend DetectionType = "Outlook_HomePage_Registry"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect Ruler usage targeting Home Page feature
let RulerHomepage = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("--homepage", "ruler") and
        ProcessCommandLine has_any ("homepages", "homepage", "--url")
| extend DetectionType = "Ruler_Homepage_Attack"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union OutlookHomePage, OutlookHomepageReg, RulerHomepage
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Registry Value Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

SharePoint or intranet portals configured as legitimate Outlook folder home pages by IT administrators
Corporate Outlook customizations that load internal web dashboards in folder view
OWA (Outlook Web Access) client features that legitimately trigger browser-related processes
IT ticketing integrations that use Outlook Home Page to display ticket status within the email client

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
    EventCode=1 AND match(ParentImage, "(?i)outlook\.exe") AND
      match(Image, "(?i)(iexplore|msedge|wscript|cscript|mshta|powershell|cmd|rundll32)\.exe"),
      "Outlook_HomePage_Child_Proc",
    EventCode=12 AND match(TargetObject, "(?i)Outlook.*HomePage"),
      "Outlook_HomePage_Registry_Create",
    EventCode=13 AND match(TargetObject, "(?i)Outlook.*HomePage"),
      "Outlook_HomePage_Registry_Set",
    EventCode=1 AND (match(CommandLine, "(?i)--homepage") OR
      (match(CommandLine, "(?i)ruler") AND match(CommandLine, "(?i)(homepage|homepages)"))),
      "Ruler_HomePage_Attack",
    true(), null()
  )
| where isnotnull(detection_type)
| table _time, host, User, detection_type, Image, CommandLine, ParentImage, TargetObject, Details
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Registry Key/Value Modification Sysmon Event ID 1, 12, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate SharePoint/intranet home page configurations in Outlook
IT-managed Outlook folder customizations using internal URLs
Exchange admin scripts modifying Outlook folder properties

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  process where event.type == "start"
    and process.parent.name : "outlook.exe"
    and process.name : ("iexplore.exe", "msedge.exe", "wscript.exe", "cscript.exe",
                         "mshta.exe", "powershell.exe", "cmd.exe", "rundll32.exe")
] by process.parent.entity_id

any where
(
  /* Outlook spawning browser/script engine — Home Page execution */
  (event.category == "process" and event.type == "start"
   and process.parent.name : "outlook.exe"
   and process.name : ("iexplore.exe", "msedge.exe", "wscript.exe", "cscript.exe",
                        "mshta.exe", "powershell.exe", "cmd.exe", "rundll32.exe"))
  or
  /* Outlook HomePage registry key creation/modification */
  (event.category == "registry"
   and registry.path : ("*\\Outlook\\HomePage*", "*\\Outlook\\*\\URL")
   and event.type : ("creation", "change"))
  or
  /* Ruler tool targeting Outlook Home Page feature */
  (event.category == "process" and event.type == "start"
   and (process.args : "--homepage" or
        (process.name : "ruler" and process.args : ("homepage", "homepages"))))
)

high severity high confidence

Data Sources

Endpoint Windows Registry

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-*

False Positives

Legitimate corporate Outlook Home Page configurations deployed via Group Policy that set a sanctioned intranet URL, causing Outlook to spawn a browser process on folder open.
IT administrators or automated provisioning tools writing Outlook HomePage registry keys as part of a standard desktop image build.
Security researchers or red team operators running the Ruler tool in an authorized penetration test against the organization's Exchange environment.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "Image" AS child_process,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_process,
  "TargetObject" AS registry_key,
  CASE
    WHEN devicetype = 13 AND UPPER("ParentImage") LIKE '%OUTLOOK.EXE'
         AND (UPPER("Image") LIKE '%IEXPLORE.EXE'
              OR UPPER("Image") LIKE '%MSEDGE.EXE'
              OR UPPER("Image") LIKE '%WSCRIPT.EXE'
              OR UPPER("Image") LIKE '%CSCRIPT.EXE'
              OR UPPER("Image") LIKE '%MSHTA.EXE'
              OR UPPER("Image") LIKE '%POWERSHELL.EXE'
              OR UPPER("Image") LIKE '%CMD.EXE'
              OR UPPER("Image") LIKE '%RUNDLL32.EXE')
         AND CATEGORYNAME(category) LIKE '%Process%'
      THEN 'Outlook_HomePage_Child_Proc'
    WHEN (UPPER("TargetObject") LIKE '%OUTLOOK%HOMEPAGE%'
          OR (UPPER("TargetObject") LIKE '%OUTLOOK%' AND "RegistryValueName" ILIKE 'URL'))
         AND CATEGORYNAME(category) LIKE '%Registry%'
      THEN 'Outlook_HomePage_Registry'
    WHEN (UPPER("CommandLine") LIKE '%-HOMEPAGE%'
          OR (UPPER("CommandLine") LIKE '%RULER%'
              AND (UPPER("CommandLine") LIKE '%HOMEPAGE%' OR UPPER("CommandLine") LIKE '%HOMEPAGES%')))
         AND CATEGORYNAME(category) LIKE '%Process%'
      THEN 'Ruler_HomePage_Attack'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (13, 14, 15) -- Sysmon / Windows Security / System
  AND starttime > DATEADD('hour', -24, NOW())
  AND (
    (UPPER("ParentImage") LIKE '%OUTLOOK.EXE'
      AND (UPPER("Image") LIKE '%IEXPLORE.EXE' OR UPPER("Image") LIKE '%MSHTA.EXE'
           OR UPPER("Image") LIKE '%WSCRIPT.EXE' OR UPPER("Image") LIKE '%CSCRIPT.EXE'
           OR UPPER("Image") LIKE '%POWERSHELL.EXE' OR UPPER("Image") LIKE '%CMD.EXE'
           OR UPPER("Image") LIKE '%RUNDLL32.EXE' OR UPPER("Image") LIKE '%MSEDGE.EXE'))
    OR UPPER("TargetObject") LIKE '%OUTLOOK%HOMEPAGE%'
    OR (UPPER("TargetObject") LIKE '%OUTLOOK%' AND "RegistryValueName" ILIKE 'URL')
    OR UPPER("CommandLine") LIKE '%-HOMEPAGE%'
    OR (UPPER("CommandLine") LIKE '%RULER%'
        AND (UPPER("CommandLine") LIKE '%HOMEPAGE%' OR UPPER("CommandLine") LIKE '%HOMEPAGES%'))
  )
  AND detection_type IS NOT NULL
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon

Required Tables

events

False Positives

Enterprise Group Policy pushing a legitimate SharePoint or intranet URL to the Outlook Home Page setting, causing recurring registry writes across many hosts simultaneously.
Help-desk tooling or endpoint management agents that modify Outlook profile registry keys during mailbox provisioning or migration activities.
Red team or purple team exercises using the Ruler tool under an authorized engagement scope that includes Exchange Home Page testing.

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| json auto
// Normalize key fields from Sysmon XML parsed via Sumo
| parse field=_raw "<Image><![CDATA[*]]></Image>" as process_image nodrop
| parse field=_raw "<ParentImage><![CDATA[*]]></ParentImage>" as parent_image nodrop
| parse field=_raw "<CommandLine><![CDATA[*]]></CommandLine>" as command_line nodrop
| parse field=_raw "<TargetObject><![CDATA[*]]></TargetObject>" as registry_target nodrop
| parse field=_raw "<User><![CDATA[*]]></User>" as user nodrop
| parse field=_raw "<EventID>*</EventID>" as event_id nodrop
// Branch 1: Outlook spawning browser or script-engine child (EventCode 1)
| where (
    event_id == "1"
    and toLowerCase(parent_image) matches "*outlook.exe*"
    and (
      toLowerCase(process_image) matches "*iexplore.exe*"
      or toLowerCase(process_image) matches "*msedge.exe*"
      or toLowerCase(process_image) matches "*wscript.exe*"
      or toLowerCase(process_image) matches "*cscript.exe*"
      or toLowerCase(process_image) matches "*mshta.exe*"
      or toLowerCase(process_image) matches "*powershell.exe*"
      or toLowerCase(process_image) matches "*cmd.exe*"
      or toLowerCase(process_image) matches "*rundll32.exe*"
    )
  )
  or (
    // Branch 2: Registry key create/set for Outlook HomePage (EventCode 12 or 13)
    (event_id == "12" or event_id == "13")
    and (
      (toLowerCase(registry_target) matches "*outlook*" and toLowerCase(registry_target) matches "*homepage*")
      or (toLowerCase(registry_target) matches "*outlook*" and toLowerCase(registry_target) matches "*url*")
    )
  )
  or (
    // Branch 3: Ruler tool executing Home Page attack (EventCode 1)
    event_id == "1"
    and (
      toLowerCase(command_line) matches "*--homepage*"
      or (
        toLowerCase(command_line) matches "*ruler*"
        and (
          toLowerCase(command_line) matches "*homepage*"
          or toLowerCase(command_line) matches "*homepages*"
        )
      )
    )
  )
| eval detection_type = if(
    event_id == "1" and toLowerCase(parent_image) matches "*outlook.exe*",
    "Outlook_HomePage_Child_Proc",
    if(
      (event_id == "12" or event_id == "13") and toLowerCase(registry_target) matches "*outlook*homepage*",
      "Outlook_HomePage_Registry",
      "Ruler_HomePage_Attack"
    )
  )
| table _messageTime, Computer, user, detection_type, process_image, command_line, parent_image, registry_target
| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Sysmon Windows Event Log

Required Tables

windows/sysmon

False Positives

Automated desktop provisioning scripts that pre-configure a corporate Outlook Home Page URL by writing directly to the registry during new-employee onboarding.
Microsoft Exchange or Outlook updates that internally rewrite Outlook profile registry settings, including HomePage keys, as part of an upgrade routine.
Security awareness simulation tools or authorized red team exercises using Ruler to demonstrate Home Page abuse without malicious intent.

Google Chronicle / SecOps

yaral

rule outlook_home_page_persistence_t1137_004 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Outlook Home Page persistence (T1137.004): Outlook spawning browser/script child processes, HomePage registry modifications, or Ruler tool Home Page attack arguments."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1137.004"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-19"

  events:
    (
      // Branch 1: Outlook spawning a browser or script engine — Home Page code execution
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.principal.process.file.full_path, `(?i)outlook\.exe$`)
      and re.regex($e1.target.process.file.full_path,
        `(?i)(iexplore|msedge|wscript|cscript|mshta|powershell|cmd|rundll32)\.exe$`)
    )
    or
    (
      // Branch 2: Outlook HomePage registry key creation or modification
      $e1.metadata.event_type = "REGISTRY_CREATION" or
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($e1.target.registry.registry_key,
          `(?i)\\Outlook\\.*HomePage`) or
        (re.regex($e1.target.registry.registry_key, `(?i)\\Outlook\\`) and
         re.regex($e1.target.registry.registry_value_name, `(?i)^URL$`))
      )
    )
    or
    (
      // Branch 3: Ruler tool Home Page attack arguments
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.target.process.command_line, `(?i)--homepage`) or
        (
          re.regex($e1.target.process.command_line, `(?i)ruler`) and
          re.regex($e1.target.process.command_line, `(?i)(homepage|homepages)`)
        )
      )
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Endpoint Telemetry

Required Tables

UDM Events

False Positives

Corporate Exchange administrators deploying a sanctioned intranet portal via Outlook Home Page policy, causing outlook.exe to spawn a browser process on the initial folder open across a fleet of machines.
Endpoint management agents (SCCM, Intune) modifying Outlook registry profile keys including HomePage URL entries as part of a managed software deployment.
Authorized penetration testers using Ruler as part of a red team engagement scoped to include Outlook persistence techniques against an Exchange On-Premises environment.

CrowdStrike LogScale (CQL)

cql

// T1137.004 — Outlook Home Page Persistence Detection
// Branch 1: Outlook spawning browser or script-engine child process
#event_simpleName=ProcessRollup2
| ParentBaseFileName = "outlook.exe"
| FileName in ("iexplore.exe", "msedge.exe", "wscript.exe", "cscript.exe",
               "mshta.exe", "powershell.exe", "cmd.exe", "rundll32.exe")
| eval DetectionType="Outlook_HomePage_Child_Proc"
| table([@timestamp, ComputerName, UserName, DetectionType, FileName, CommandLine,
         ParentBaseFileName, ParentCommandLine])

// Branch 2: Registry modification targeting Outlook HomePage keys
| union [
  #event_simpleName in ("RegGenericValueUpdate", "RegStringValueUpdate", "AsepValueUpdate")
  | ObjectName = /(?i)\\Outlook\\.*HomePage/i
     OR (ObjectName = /(?i)\\Outlook\\/i AND ValueName = /(?i)^URL$/i)
  | eval DetectionType="Outlook_HomePage_Registry"
  | table([@timestamp, ComputerName, UserName, DetectionType, ObjectName,
           ValueName, RegStringValue, ImageFileName])
]

// Branch 3: Ruler tool executing Home Page attack
| union [
  #event_simpleName=ProcessRollup2
  | CommandLine = /(?i)--homepage/i
     OR (CommandLine = /(?i)ruler/i AND CommandLine = /(?i)(homepage|homepages)/i)
  | eval DetectionType="Ruler_HomePage_Attack"
  | table([@timestamp, ComputerName, UserName, DetectionType, FileName, CommandLine,
           ParentBaseFileName, ParentCommandLine])
]

| sort(@timestamp, order=desc, limit=500)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon Registry Events

Required Tables

ProcessRollup2 RegGenericValueUpdate RegStringValueUpdate AsepValueUpdate

False Positives

Enterprise Outlook Home Page deployments via Exchange WebDAV properties or Group Policy that configure a legitimate intranet URL, causing outlook.exe to legitimately spawn a browser process when users open certain mail folders.
IT helpdesk tooling that programmatically modifies Outlook MAPI profile registry settings during mailbox repair or re-provisioning workflows, writing HomePage and URL registry values.
Authorized internal red team or purple team assessments that use the Ruler open-source tool to demonstrate Outlook Home Page exploitation against Exchange On-Premises as part of a scoped engagement.

Outlook Home Page

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections