T1137.004 Microsoft Sentinel · KQL

Detect Outlook Home Page in Microsoft Sentinel

Adversaries abuse Microsoft Outlook's Home Page feature to load a malicious HTML/script page in the Outlook folder view, achieving persistent code execution whenever the affected folder is opened. The Home Page URL is stored in the user's mailbox, making it invisible to standard file monitoring. OilRig (APT34) has abused this technique along with CVE-2017-11774 to bypass Home Page restrictions. The Ruler tool automates both installation and triggering.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.004 Outlook Home Page
Canonical reference
https://attack.mitre.org/techniques/T1137/004/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1137.004 — Outlook Home Page persistence detection
// The Home Page URL is stored per-folder in the mailbox; execution leaves browser/script engine traces
// Part 1: Detect Outlook spawning browser-related or scripting processes (Home Page execution)
let OutlookHomePage = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "outlook.exe"
| where FileName in~ ("iexplore.exe", "msedge.exe", "wscript.exe", "cscript.exe",
                      "mshta.exe", "powershell.exe", "cmd.exe", "rundll32.exe")
| extend DetectionType = "Outlook_Home_Page_Child_Proc"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect registry keys for Outlook folder Home Page URL settings
let OutlookHomepageReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_all ("Outlook", "HomePage") or
        (RegistryKey has "Outlook" and RegistryValueName =~ "URL")
| extend DetectionType = "Outlook_HomePage_Registry"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect Ruler usage targeting Home Page feature
let RulerHomepage = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("--homepage", "ruler") and
        ProcessCommandLine has_any ("homepages", "homepage", "--url")
| extend DetectionType = "Ruler_Homepage_Attack"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union OutlookHomePage, OutlookHomepageReg, RulerHomepage
| sort by Timestamp desc
high severity medium confidence

Three-part detection for Outlook Home Page persistence. Part 1 catches Outlook spawning browser/scripting processes (iexplore.exe, mshta.exe, wscript.exe, PowerShell) which occurs when a Home Page URL loads malicious script content. Part 2 monitors for registry modifications to Outlook Home Page URL keys stored in HKCU\Software\Microsoft\Office\<version>\Outlook. Part 3 identifies Ruler tool command-line patterns targeting the homepage feature.

Data Sources

Process: Process CreationWindows Registry: Registry Value ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceRegistryEvents

False Positives & Tuning

  • SharePoint or intranet portals configured as legitimate Outlook folder home pages by IT administrators
  • Corporate Outlook customizations that load internal web dashboards in folder view
  • OWA (Outlook Web Access) client features that legitimately trigger browser-related processes
  • IT ticketing integrations that use Outlook Home Page to display ticket status within the email client
Download portable Sigma rule (.yml)

Other platforms for T1137.004

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Set Outlook Folder Home Page Registry Value

    Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject containing 'Outlook\WebView\Inbox\URL' and Details='http://127.0.0.1:8080/malicious.html'. Security Event ID 4657 if registry auditing is enabled.

  2. Test 2Simulate Ruler Homepage Attack Command

    Expected signal: If Ruler were actually executed: Sysmon Event ID 1 with Image=ruler.exe and CommandLine containing '--homepage'. Sysmon Event ID 3 with connection to Exchange EWS on port 443.

  3. Test 3Verify CVE-2017-11774 Patch Status

    Expected signal: Sysmon Event ID 1: powershell.exe with command line containing 'Get-HotFix' and CVE-related KB numbers. No system changes made.

Last updated: 2026-04-19 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1137.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.002Office TestT1137.003Outlook FormsT1137.005Outlook RulesT1137.006Add-ins

Related Techniques

T1137Office Application StartupT1137.003Outlook FormsT1137.005Outlook RulesT1189Drive-by CompromiseT1059.007JavaScriptT1059.005Visual Basic

Same Tactic: Persistence

Popular Detections