Detect Outlook Home Page in Sumo Logic CSE
Adversaries abuse Microsoft Outlook's Home Page feature to load a malicious HTML/script page in the Outlook folder view, achieving persistent code execution whenever the affected folder is opened. The Home Page URL is stored in the user's mailbox, making it invisible to standard file monitoring. OilRig (APT34) has abused this technique along with CVE-2017-11774 to bypass Home Page restrictions. The Ruler tool automates both installation and triggering.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Sub-technique
- T1137.004 Outlook Home Page
- Canonical reference
- https://attack.mitre.org/techniques/T1137/004/
Sumo Detection Query
(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| json auto
// Normalize key fields from Sysmon XML parsed via Sumo
| parse field=_raw "<Image><![CDATA[*]]></Image>" as process_image nodrop
| parse field=_raw "<ParentImage><![CDATA[*]]></ParentImage>" as parent_image nodrop
| parse field=_raw "<CommandLine><![CDATA[*]]></CommandLine>" as command_line nodrop
| parse field=_raw "<TargetObject><![CDATA[*]]></TargetObject>" as registry_target nodrop
| parse field=_raw "<User><![CDATA[*]]></User>" as user nodrop
| parse field=_raw "<EventID>*</EventID>" as event_id nodrop
// Branch 1: Outlook spawning browser or script-engine child (EventCode 1)
| where (
event_id == "1"
and toLowerCase(parent_image) matches "*outlook.exe*"
and (
toLowerCase(process_image) matches "*iexplore.exe*"
or toLowerCase(process_image) matches "*msedge.exe*"
or toLowerCase(process_image) matches "*wscript.exe*"
or toLowerCase(process_image) matches "*cscript.exe*"
or toLowerCase(process_image) matches "*mshta.exe*"
or toLowerCase(process_image) matches "*powershell.exe*"
or toLowerCase(process_image) matches "*cmd.exe*"
or toLowerCase(process_image) matches "*rundll32.exe*"
)
)
or (
// Branch 2: Registry key create/set for Outlook HomePage (EventCode 12 or 13)
(event_id == "12" or event_id == "13")
and (
(toLowerCase(registry_target) matches "*outlook*" and toLowerCase(registry_target) matches "*homepage*")
or (toLowerCase(registry_target) matches "*outlook*" and toLowerCase(registry_target) matches "*url*")
)
)
or (
// Branch 3: Ruler tool executing Home Page attack (EventCode 1)
event_id == "1"
and (
toLowerCase(command_line) matches "*--homepage*"
or (
toLowerCase(command_line) matches "*ruler*"
and (
toLowerCase(command_line) matches "*homepage*"
or toLowerCase(command_line) matches "*homepages*"
)
)
)
)
| eval detection_type = if(
event_id == "1" and toLowerCase(parent_image) matches "*outlook.exe*",
"Outlook_HomePage_Child_Proc",
if(
(event_id == "12" or event_id == "13") and toLowerCase(registry_target) matches "*outlook*homepage*",
"Outlook_HomePage_Registry",
"Ruler_HomePage_Attack"
)
)
| table _messageTime, Computer, user, detection_type, process_image, command_line, parent_image, registry_target
| sort by _messageTime descSumo Logic CSE query detecting Outlook Home Page persistence (T1137.004) by parsing Sysmon XML events for three patterns: Outlook spawning suspicious child processes (browser/script engines via EID 1), Outlook folder HomePage registry key modifications (EID 12/13), and Ruler tool invocations with Home Page targeting arguments.
Data Sources
Required Tables
False Positives & Tuning
- Automated desktop provisioning scripts that pre-configure a corporate Outlook Home Page URL by writing directly to the registry during new-employee onboarding.
- Microsoft Exchange or Outlook updates that internally rewrite Outlook profile registry settings, including HomePage keys, as part of an upgrade routine.
- Security awareness simulation tools or authorized red team exercises using Ruler to demonstrate Home Page abuse without malicious intent.
Other platforms for T1137.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set Outlook Folder Home Page Registry Value
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject containing 'Outlook\WebView\Inbox\URL' and Details='http://127.0.0.1:8080/malicious.html'. Security Event ID 4657 if registry auditing is enabled.
- Test 2Simulate Ruler Homepage Attack Command
Expected signal: If Ruler were actually executed: Sysmon Event ID 1 with Image=ruler.exe and CommandLine containing '--homepage'. Sysmon Event ID 3 with connection to Exchange EWS on port 443.
- Test 3Verify CVE-2017-11774 Patch Status
Expected signal: Sysmon Event ID 1: powershell.exe with command line containing 'Get-HotFix' and CVE-related KB numbers. No system changes made.
References (6)
- https://attack.mitre.org/techniques/T1137/004/
- https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
- https://github.com/sensepost/ruler
- https://github.com/sensepost/notruler
- https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
- https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
Unlock Pro Content
Get the full detection package for T1137.004 including response playbook, investigation guide, and atomic red team tests.