Detect Outlook Home Page in Splunk
Adversaries abuse Microsoft Outlook's Home Page feature to load a malicious HTML/script page in the Outlook folder view, achieving persistent code execution whenever the affected folder is opened. The Home Page URL is stored in the user's mailbox, making it invisible to standard file monitoring. OilRig (APT34) has abused this technique along with CVE-2017-11774 to bypass Home Page restrictions. The Ruler tool automates both installation and triggering.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Sub-technique
- T1137.004 Outlook Home Page
- Canonical reference
- https://attack.mitre.org/techniques/T1137/004/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
EventCode=1 AND match(ParentImage, "(?i)outlook\.exe") AND
match(Image, "(?i)(iexplore|msedge|wscript|cscript|mshta|powershell|cmd|rundll32)\.exe"),
"Outlook_HomePage_Child_Proc",
EventCode=12 AND match(TargetObject, "(?i)Outlook.*HomePage"),
"Outlook_HomePage_Registry_Create",
EventCode=13 AND match(TargetObject, "(?i)Outlook.*HomePage"),
"Outlook_HomePage_Registry_Set",
EventCode=1 AND (match(CommandLine, "(?i)--homepage") OR
(match(CommandLine, "(?i)ruler") AND match(CommandLine, "(?i)(homepage|homepages)"))),
"Ruler_HomePage_Attack",
true(), null()
)
| where isnotnull(detection_type)
| table _time, host, User, detection_type, Image, CommandLine, ParentImage, TargetObject, Details
| sort - _timeDetects Outlook Home Page persistence via Sysmon. EventCode 1 catches Outlook spawning scripting/browser child processes (indicates Home Page script execution) and Ruler tool usage. EventCodes 12/13 catch registry activity on Outlook Home Page keys. The Ruler --homepage flag pattern is a reliable indicator of automated Home Page abuse.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate SharePoint/intranet home page configurations in Outlook
- IT-managed Outlook folder customizations using internal URLs
- Exchange admin scripts modifying Outlook folder properties
Other platforms for T1137.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set Outlook Folder Home Page Registry Value
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject containing 'Outlook\WebView\Inbox\URL' and Details='http://127.0.0.1:8080/malicious.html'. Security Event ID 4657 if registry auditing is enabled.
- Test 2Simulate Ruler Homepage Attack Command
Expected signal: If Ruler were actually executed: Sysmon Event ID 1 with Image=ruler.exe and CommandLine containing '--homepage'. Sysmon Event ID 3 with connection to Exchange EWS on port 443.
- Test 3Verify CVE-2017-11774 Patch Status
Expected signal: Sysmon Event ID 1: powershell.exe with command line containing 'Get-HotFix' and CVE-related KB numbers. No system changes made.
References (6)
- https://attack.mitre.org/techniques/T1137/004/
- https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
- https://github.com/sensepost/ruler
- https://github.com/sensepost/notruler
- https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
- https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
Unlock Pro Content
Get the full detection package for T1137.004 including response playbook, investigation guide, and atomic red team tests.