T1137.004 Google Chronicle · YARA-L

Detect Outlook Home Page in Google Chronicle

Adversaries abuse Microsoft Outlook's Home Page feature to load a malicious HTML/script page in the Outlook folder view, achieving persistent code execution whenever the affected folder is opened. The Home Page URL is stored in the user's mailbox, making it invisible to standard file monitoring. OilRig (APT34) has abused this technique along with CVE-2017-11774 to bypass Home Page restrictions. The Ruler tool automates both installation and triggering.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.004 Outlook Home Page
Canonical reference
https://attack.mitre.org/techniques/T1137/004/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule outlook_home_page_persistence_t1137_004 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Outlook Home Page persistence (T1137.004): Outlook spawning browser/script child processes, HomePage registry modifications, or Ruler tool Home Page attack arguments."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1137.004"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-19"

  events:
    (
      // Branch 1: Outlook spawning a browser or script engine — Home Page code execution
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.principal.process.file.full_path, `(?i)outlook\.exe$`)
      and re.regex($e1.target.process.file.full_path,
        `(?i)(iexplore|msedge|wscript|cscript|mshta|powershell|cmd|rundll32)\.exe$`)
    )
    or
    (
      // Branch 2: Outlook HomePage registry key creation or modification
      $e1.metadata.event_type = "REGISTRY_CREATION" or
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($e1.target.registry.registry_key,
          `(?i)\\Outlook\\.*HomePage`) or
        (re.regex($e1.target.registry.registry_key, `(?i)\\Outlook\\`) and
         re.regex($e1.target.registry.registry_value_name, `(?i)^URL$`))
      )
    )
    or
    (
      // Branch 3: Ruler tool Home Page attack arguments
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.target.process.command_line, `(?i)--homepage`) or
        (
          re.regex($e1.target.process.command_line, `(?i)ruler`) and
          re.regex($e1.target.process.command_line, `(?i)(homepage|homepages)`)
        )
      )
    )

  condition:
    $e1
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting Outlook Home Page persistence (T1137.004) with three event branches mapped to UDM: PROCESS_LAUNCH events where outlook.exe spawns browser/scripting child processes, REGISTRY_CREATION or REGISTRY_MODIFICATION events targeting Outlook HomePage registry paths, and PROCESS_LAUNCH events with Ruler tool Home Page attack arguments in the command line.

Data Sources

Google Chronicle UDMWindows Endpoint Telemetry

Required Tables

UDM Events

False Positives & Tuning

  • Corporate Exchange administrators deploying a sanctioned intranet portal via Outlook Home Page policy, causing outlook.exe to spawn a browser process on the initial folder open across a fleet of machines.
  • Endpoint management agents (SCCM, Intune) modifying Outlook registry profile keys including HomePage URL entries as part of a managed software deployment.
  • Authorized penetration testers using Ruler as part of a red team engagement scoped to include Outlook persistence techniques against an Exchange On-Premises environment.
Download portable Sigma rule (.yml)

Other platforms for T1137.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Set Outlook Folder Home Page Registry Value

    Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject containing 'Outlook\WebView\Inbox\URL' and Details='http://127.0.0.1:8080/malicious.html'. Security Event ID 4657 if registry auditing is enabled.

  2. Test 2Simulate Ruler Homepage Attack Command

    Expected signal: If Ruler were actually executed: Sysmon Event ID 1 with Image=ruler.exe and CommandLine containing '--homepage'. Sysmon Event ID 3 with connection to Exchange EWS on port 443.

  3. Test 3Verify CVE-2017-11774 Patch Status

    Expected signal: Sysmon Event ID 1: powershell.exe with command line containing 'Get-HotFix' and CVE-related KB numbers. No system changes made.

Last updated: 2026-04-19 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1137.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.002Office TestT1137.003Outlook FormsT1137.005Outlook RulesT1137.006Add-ins

Related Techniques

T1137Office Application StartupT1137.003Outlook FormsT1137.005Outlook RulesT1189Drive-by CompromiseT1059.007JavaScriptT1059.005Visual Basic

Same Tactic: Persistence

Popular Detections