Detect Outlook Home Page in Elastic Security
Adversaries abuse Microsoft Outlook's Home Page feature to load a malicious HTML/script page in the Outlook folder view, achieving persistent code execution whenever the affected folder is opened. The Home Page URL is stored in the user's mailbox, making it invisible to standard file monitoring. OilRig (APT34) has abused this technique along with CVE-2017-11774 to bypass Home Page restrictions. The Ruler tool automates both installation and triggering.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Sub-technique
- T1137.004 Outlook Home Page
- Canonical reference
- https://attack.mitre.org/techniques/T1137/004/
Elastic Detection Query
sequence by host.name with maxspan=5m
[
process where event.type == "start"
and process.parent.name : "outlook.exe"
and process.name : ("iexplore.exe", "msedge.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "powershell.exe", "cmd.exe", "rundll32.exe")
] by process.parent.entity_id
any where
(
/* Outlook spawning browser/script engine — Home Page execution */
(event.category == "process" and event.type == "start"
and process.parent.name : "outlook.exe"
and process.name : ("iexplore.exe", "msedge.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "powershell.exe", "cmd.exe", "rundll32.exe"))
or
/* Outlook HomePage registry key creation/modification */
(event.category == "registry"
and registry.path : ("*\\Outlook\\HomePage*", "*\\Outlook\\*\\URL")
and event.type : ("creation", "change"))
or
/* Ruler tool targeting Outlook Home Page feature */
(event.category == "process" and event.type == "start"
and (process.args : "--homepage" or
(process.name : "ruler" and process.args : ("homepage", "homepages"))))
)Detects Outlook Home Page persistence (T1137.004) via three signals: Outlook spawning browser or script-engine child processes during Home Page rendering, registry modifications to Outlook folder HomePage URL keys, and execution of the Ruler tool with Home Page attack arguments.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate corporate Outlook Home Page configurations deployed via Group Policy that set a sanctioned intranet URL, causing Outlook to spawn a browser process on folder open.
- IT administrators or automated provisioning tools writing Outlook HomePage registry keys as part of a standard desktop image build.
- Security researchers or red team operators running the Ruler tool in an authorized penetration test against the organization's Exchange environment.
Other platforms for T1137.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set Outlook Folder Home Page Registry Value
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject containing 'Outlook\WebView\Inbox\URL' and Details='http://127.0.0.1:8080/malicious.html'. Security Event ID 4657 if registry auditing is enabled.
- Test 2Simulate Ruler Homepage Attack Command
Expected signal: If Ruler were actually executed: Sysmon Event ID 1 with Image=ruler.exe and CommandLine containing '--homepage'. Sysmon Event ID 3 with connection to Exchange EWS on port 443.
- Test 3Verify CVE-2017-11774 Patch Status
Expected signal: Sysmon Event ID 1: powershell.exe with command line containing 'Get-HotFix' and CVE-related KB numbers. No system changes made.
References (6)
- https://attack.mitre.org/techniques/T1137/004/
- https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
- https://github.com/sensepost/ruler
- https://github.com/sensepost/notruler
- https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
- https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
Unlock Pro Content
Get the full detection package for T1137.004 including response playbook, investigation guide, and atomic red team tests.