T1137.004 IBM QRadar · QRadar

Detect Outlook Home Page in IBM QRadar

Adversaries abuse Microsoft Outlook's Home Page feature to load a malicious HTML/script page in the Outlook folder view, achieving persistent code execution whenever the affected folder is opened. The Home Page URL is stored in the user's mailbox, making it invisible to standard file monitoring. OilRig (APT34) has abused this technique along with CVE-2017-11774 to bypass Home Page restrictions. The Ruler tool automates both installation and triggering.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.004 Outlook Home Page
Canonical reference
https://attack.mitre.org/techniques/T1137/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "Image" AS child_process,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_process,
  "TargetObject" AS registry_key,
  CASE
    WHEN devicetype = 13 AND UPPER("ParentImage") LIKE '%OUTLOOK.EXE'
         AND (UPPER("Image") LIKE '%IEXPLORE.EXE'
              OR UPPER("Image") LIKE '%MSEDGE.EXE'
              OR UPPER("Image") LIKE '%WSCRIPT.EXE'
              OR UPPER("Image") LIKE '%CSCRIPT.EXE'
              OR UPPER("Image") LIKE '%MSHTA.EXE'
              OR UPPER("Image") LIKE '%POWERSHELL.EXE'
              OR UPPER("Image") LIKE '%CMD.EXE'
              OR UPPER("Image") LIKE '%RUNDLL32.EXE')
         AND CATEGORYNAME(category) LIKE '%Process%'
      THEN 'Outlook_HomePage_Child_Proc'
    WHEN (UPPER("TargetObject") LIKE '%OUTLOOK%HOMEPAGE%'
          OR (UPPER("TargetObject") LIKE '%OUTLOOK%' AND "RegistryValueName" ILIKE 'URL'))
         AND CATEGORYNAME(category) LIKE '%Registry%'
      THEN 'Outlook_HomePage_Registry'
    WHEN (UPPER("CommandLine") LIKE '%-HOMEPAGE%'
          OR (UPPER("CommandLine") LIKE '%RULER%'
              AND (UPPER("CommandLine") LIKE '%HOMEPAGE%' OR UPPER("CommandLine") LIKE '%HOMEPAGES%')))
         AND CATEGORYNAME(category) LIKE '%Process%'
      THEN 'Ruler_HomePage_Attack'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (13, 14, 15) -- Sysmon / Windows Security / System
  AND starttime > DATEADD('hour', -24, NOW())
  AND (
    (UPPER("ParentImage") LIKE '%OUTLOOK.EXE'
      AND (UPPER("Image") LIKE '%IEXPLORE.EXE' OR UPPER("Image") LIKE '%MSHTA.EXE'
           OR UPPER("Image") LIKE '%WSCRIPT.EXE' OR UPPER("Image") LIKE '%CSCRIPT.EXE'
           OR UPPER("Image") LIKE '%POWERSHELL.EXE' OR UPPER("Image") LIKE '%CMD.EXE'
           OR UPPER("Image") LIKE '%RUNDLL32.EXE' OR UPPER("Image") LIKE '%MSEDGE.EXE'))
    OR UPPER("TargetObject") LIKE '%OUTLOOK%HOMEPAGE%'
    OR (UPPER("TargetObject") LIKE '%OUTLOOK%' AND "RegistryValueName" ILIKE 'URL')
    OR UPPER("CommandLine") LIKE '%-HOMEPAGE%'
    OR (UPPER("CommandLine") LIKE '%RULER%'
        AND (UPPER("CommandLine") LIKE '%HOMEPAGE%' OR UPPER("CommandLine") LIKE '%HOMEPAGES%'))
  )
  AND detection_type IS NOT NULL
ORDER BY starttime DESC
high severity medium confidence

QRadar AQL query detecting Outlook Home Page persistence (T1137.004) across three sub-signals: Outlook spawning browser/scripting child processes (Sysmon EID 1 with ParentImage=outlook.exe), Outlook HomePage registry key creation/modification (Sysmon EID 12/13 on *Outlook*HomePage* paths), and Ruler tool execution with Home Page attack arguments.

Data Sources

Windows Security Event LogSysmon

Required Tables

events

False Positives & Tuning

  • Enterprise Group Policy pushing a legitimate SharePoint or intranet URL to the Outlook Home Page setting, causing recurring registry writes across many hosts simultaneously.
  • Help-desk tooling or endpoint management agents that modify Outlook profile registry keys during mailbox provisioning or migration activities.
  • Red team or purple team exercises using the Ruler tool under an authorized engagement scope that includes Exchange Home Page testing.
Download portable Sigma rule (.yml)

Other platforms for T1137.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Set Outlook Folder Home Page Registry Value

    Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject containing 'Outlook\WebView\Inbox\URL' and Details='http://127.0.0.1:8080/malicious.html'. Security Event ID 4657 if registry auditing is enabled.

  2. Test 2Simulate Ruler Homepage Attack Command

    Expected signal: If Ruler were actually executed: Sysmon Event ID 1 with Image=ruler.exe and CommandLine containing '--homepage'. Sysmon Event ID 3 with connection to Exchange EWS on port 443.

  3. Test 3Verify CVE-2017-11774 Patch Status

    Expected signal: Sysmon Event ID 1: powershell.exe with command line containing 'Get-HotFix' and CVE-related KB numbers. No system changes made.

Last updated: 2026-04-19 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1137.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.002Office TestT1137.003Outlook FormsT1137.005Outlook RulesT1137.006Add-ins

Related Techniques

T1137Office Application StartupT1137.003Outlook FormsT1137.005Outlook RulesT1189Drive-by CompromiseT1059.007JavaScriptT1059.005Visual Basic

Same Tactic: Persistence

Popular Detections