T1137.004 CrowdStrike LogScale · LogScale

Detect Outlook Home Page in CrowdStrike LogScale

Adversaries abuse Microsoft Outlook's Home Page feature to load a malicious HTML/script page in the Outlook folder view, achieving persistent code execution whenever the affected folder is opened. The Home Page URL is stored in the user's mailbox, making it invisible to standard file monitoring. OilRig (APT34) has abused this technique along with CVE-2017-11774 to bypass Home Page restrictions. The Ruler tool automates both installation and triggering.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.004 Outlook Home Page
Canonical reference
https://attack.mitre.org/techniques/T1137/004/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1137.004 — Outlook Home Page Persistence Detection
// Branch 1: Outlook spawning browser or script-engine child process
#event_simpleName=ProcessRollup2
| ParentBaseFileName = "outlook.exe"
| FileName in ("iexplore.exe", "msedge.exe", "wscript.exe", "cscript.exe",
               "mshta.exe", "powershell.exe", "cmd.exe", "rundll32.exe")
| eval DetectionType="Outlook_HomePage_Child_Proc"
| table([@timestamp, ComputerName, UserName, DetectionType, FileName, CommandLine,
         ParentBaseFileName, ParentCommandLine])

// Branch 2: Registry modification targeting Outlook HomePage keys
| union [
  #event_simpleName in ("RegGenericValueUpdate", "RegStringValueUpdate", "AsepValueUpdate")
  | ObjectName = /(?i)\\Outlook\\.*HomePage/i
     OR (ObjectName = /(?i)\\Outlook\\/i AND ValueName = /(?i)^URL$/i)
  | eval DetectionType="Outlook_HomePage_Registry"
  | table([@timestamp, ComputerName, UserName, DetectionType, ObjectName,
           ValueName, RegStringValue, ImageFileName])
]

// Branch 3: Ruler tool executing Home Page attack
| union [
  #event_simpleName=ProcessRollup2
  | CommandLine = /(?i)--homepage/i
     OR (CommandLine = /(?i)ruler/i AND CommandLine = /(?i)(homepage|homepages)/i)
  | eval DetectionType="Ruler_HomePage_Attack"
  | table([@timestamp, ComputerName, UserName, DetectionType, FileName, CommandLine,
           ParentBaseFileName, ParentCommandLine])
]

| sort(@timestamp, order=desc, limit=500)
high severity high confidence

CrowdStrike LogScale (Falcon) query detecting Outlook Home Page persistence (T1137.004) across three branches: ProcessRollup2 events where outlook.exe is the parent and a browser/scripting binary is the child, registry modification events (RegGenericValueUpdate/RegStringValueUpdate) targeting *Outlook*HomePage* paths, and ProcessRollup2 events containing Ruler tool Home Page attack arguments in the command line.

Data Sources

CrowdStrike Falcon EDRCrowdStrike Falcon Registry Events

Required Tables

ProcessRollup2RegGenericValueUpdateRegStringValueUpdateAsepValueUpdate

False Positives & Tuning

  • Enterprise Outlook Home Page deployments via Exchange WebDAV properties or Group Policy that configure a legitimate intranet URL, causing outlook.exe to legitimately spawn a browser process when users open certain mail folders.
  • IT helpdesk tooling that programmatically modifies Outlook MAPI profile registry settings during mailbox repair or re-provisioning workflows, writing HomePage and URL registry values.
  • Authorized internal red team or purple team assessments that use the Ruler open-source tool to demonstrate Outlook Home Page exploitation against Exchange On-Premises as part of a scoped engagement.
Download portable Sigma rule (.yml)

Other platforms for T1137.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Set Outlook Folder Home Page Registry Value

    Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject containing 'Outlook\WebView\Inbox\URL' and Details='http://127.0.0.1:8080/malicious.html'. Security Event ID 4657 if registry auditing is enabled.

  2. Test 2Simulate Ruler Homepage Attack Command

    Expected signal: If Ruler were actually executed: Sysmon Event ID 1 with Image=ruler.exe and CommandLine containing '--homepage'. Sysmon Event ID 3 with connection to Exchange EWS on port 443.

  3. Test 3Verify CVE-2017-11774 Patch Status

    Expected signal: Sysmon Event ID 1: powershell.exe with command line containing 'Get-HotFix' and CVE-related KB numbers. No system changes made.

Last updated: 2026-04-19 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1137.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.002Office TestT1137.003Outlook FormsT1137.005Outlook RulesT1137.006Add-ins

Related Techniques

T1137Office Application StartupT1137.003Outlook FormsT1137.005Outlook RulesT1189Drive-by CompromiseT1059.007JavaScriptT1059.005Visual Basic

Same Tactic: Persistence

Popular Detections