T1137.005 Outlook Rules Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1137.005 — Outlook Rules persistence detection
// Rules stored in mailbox; execution triggers from email receipt
// Part 1: Detect processes spawned by Outlook that indicate rule execution
let OutlookRuleExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "outlook.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
                      "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe")
| extend DetectionType = "Outlook_Rule_Execution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect Outlook spawning executables from user-writable locations (rule: run application)
let OutlookUserExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "outlook.exe"
| where FolderPath has_any ("\\Users\\", "\\Temp\\", "\\AppData\\", "\\ProgramData\\")
| where FolderPath !has "\\Microsoft Office\\"
| extend DetectionType = "Outlook_UserDir_Execution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, FolderPath, DetectionType;
// Part 3: Detect Ruler tool targeting Outlook rules
let RulerRules = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("--rules", "ruler") and
        ProcessCommandLine has_any ("rules", "add", "--target")
    or FileName =~ "ruler.exe"
| extend DetectionType = "Ruler_Rules_Attack"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, DetectionType;
union OutlookRuleExec, OutlookUserExec, RulerRules
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate Outlook rules that run VBScripts for custom email processing (some organizations use this for compliance or workflow automation)
IT-managed rules that launch specific applications when trigger emails are received
Help desk automation scripts triggered by Outlook rules for ticket creation
Outlook integration with corporate workflow systems that respond to specially formatted emails

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval detection_type=case(
    match(ParentImage, "(?i)outlook\.exe") AND
      match(Image, "(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe"),
      "Outlook_Rule_Shell_Spawn",
    match(ParentImage, "(?i)outlook\.exe") AND
      match(Image, "(?i)\\\\(Users|Temp|AppData|ProgramData)\\\\") AND
      NOT match(Image, "(?i)Microsoft\\\\Office"),
      "Outlook_Rule_UserDir_Exec",
    (match(CommandLine, "(?i)--rules") OR match(Image, "(?i)ruler\.exe")),
      "Ruler_Rules_Detected",
    true(), null()
  )
| where isnotnull(detection_type)
| eval risk_score=case(
    detection_type="Outlook_Rule_Shell_Spawn", 8,
    detection_type="Outlook_Rule_UserDir_Exec", 9,
    detection_type="Ruler_Rules_Detected", 10,
    true(), 5
  )
| table _time, host, User, detection_type, risk_score, Image, CommandLine, ParentImage, ParentCommandLine
| sort - risk_score, - _time

high severity medium confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate organizational VBScript rules triggered by Outlook for workflow automation
IT automation tools launched by Outlook rules for ticket/incident management
Email-triggered scripts for compliance archiving systems

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start"
   and process.parent.name : "outlook.exe"
   and process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
                        "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe")]

// Standalone: Outlook spawning processes from user-writable directories
process where event.type == "start"
  and process.parent.name : "outlook.exe"
  and (
    process.executable : ("*\\Users\\*", "*\\Temp\\*", "*\\AppData\\*", "*\\ProgramData\\*")
    and not process.executable : "*\\Microsoft Office\\*"
  )

// Standalone: Ruler tool detection
process where event.type == "start"
  and (
    process.name : "ruler.exe"
    or (process.args : "--rules" and process.args : ("add", "--target"))
    or process.command_line : "*ruler*rules*"
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Outlook add-ins or plugins that legitimately spawn child processes such as PDF readers, archiving tools, or antivirus scanners triggered by email attachments
IT automation scripts that use Outlook COM automation and spawn helper processes for mail processing or archiving workflows
Security awareness training platforms that send test phishing emails and use Ruler-like tooling in authorized red team exercises

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "sourceip",
  QIDNAME(qid) AS event_name,
  "EventID",
  "ParentProcessName",
  "ProcessName",
  "CommandLine",
  CASE
    WHEN LOWER("ParentProcessName") LIKE '%outlook.exe%'
      AND LOWER("ProcessName") MATCHES '(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe'
      THEN 'Outlook_Rule_Shell_Spawn'
    WHEN LOWER("ParentProcessName") LIKE '%outlook.exe%'
      AND (LOWER("ProcessName") LIKE '%\users\%'
           OR LOWER("ProcessName") LIKE '%\temp\%'
           OR LOWER("ProcessName") LIKE '%\appdata\%'
           OR LOWER("ProcessName") LIKE '%\programdata\%')
      AND LOWER("ProcessName") NOT LIKE '%microsoft\office%'
      THEN 'Outlook_Rule_UserDir_Exec'
    WHEN LOWER("ProcessName") LIKE '%ruler.exe%'
      OR (LOWER("CommandLine") LIKE '%--rules%' AND LOWER("CommandLine") LIKE '%-target%')
      THEN 'Ruler_Rules_Attack'
    ELSE NULL
  END AS detection_type,
  CASE
    WHEN LOWER("ParentProcessName") LIKE '%outlook.exe%'
      AND LOWER("ProcessName") MATCHES '(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe'
      THEN 8
    WHEN LOWER("ParentProcessName") LIKE '%outlook.exe%'
      AND (LOWER("ProcessName") LIKE '%\users\%' OR LOWER("ProcessName") LIKE '%\appdata\%')
      THEN 9
    WHEN LOWER("ProcessName") LIKE '%ruler.exe%' THEN 10
    ELSE 5
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND ("EventID" = 1 OR "EventID" = 4688)
  AND LAST 24 HOURS
  AND (
    (LOWER("ParentProcessName") LIKE '%outlook.exe%')
    OR LOWER("ProcessName") LIKE '%ruler.exe%'
    OR (LOWER("CommandLine") LIKE '%--rules%' AND LOWER("CommandLine") LIKE '%ruler%')
  )
  AND detection_type IS NOT NULL
ORDER BY risk_score DESC, event_time DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Sysmon log source (QRadar DSM) Microsoft Sysmon via Universal DSM

Required Tables

events

False Positives

Outlook-integrated document management systems that spawn helper processes when emails with specific subjects are received and processed by workflow automation rules
Corporate unified communications platforms that use Outlook rules to trigger notifications via cmd.exe or PowerShell wrappers
Penetration testing engagements where the Ruler tool is used in authorized red team exercises against the organization's Exchange environment

Sumo Logic CSE

sql

// T1137.005 — Outlook Rules Persistence
_sourceCategory="WinEventLog/Sysmon" OR _sourceCategory="os/windows/sysmon"
| where EventID = "1"
| parse field=ParentImage "*" as parent_image nodrop
| parse field=Image "*" as process_image nodrop
| parse field=CommandLine "*" as command_line nodrop
| where (
    // Part 1: Outlook spawning LOLBins
    (matches(toLowerCase(parent_image), ".*outlook\.exe.*") AND
     matches(toLowerCase(process_image), ".*(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe.*"))
    OR
    // Part 2: Outlook spawning from user-writable dirs
    (matches(toLowerCase(parent_image), ".*outlook\.exe.*") AND
     (matches(toLowerCase(process_image), ".*\\users\\.+") OR
      matches(toLowerCase(process_image), ".*\\temp\\.+") OR
      matches(toLowerCase(process_image), ".*\\appdata\\.+") OR
      matches(toLowerCase(process_image), ".*\\programdata\\.+")) AND
     !matches(toLowerCase(process_image), ".*microsoft\\office.*"))
    OR
    // Part 3: Ruler tool usage
    (matches(toLowerCase(process_image), ".*ruler\.exe.*") OR
     (matches(toLowerCase(command_line), ".*--rules.*") AND
      matches(toLowerCase(command_line), ".*(ruler|add|--target).*")))
  )
| eval detection_type = if(
    matches(toLowerCase(parent_image), ".*outlook\.exe.*") AND
    matches(toLowerCase(process_image), ".*(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe.*"),
    "Outlook_Rule_Shell_Spawn",
    if(
      matches(toLowerCase(parent_image), ".*outlook\.exe.*") AND
      (matches(toLowerCase(process_image), ".*\\users\\.+") OR matches(toLowerCase(process_image), ".*\\appdata\\.+")),
      "Outlook_Rule_UserDir_Exec",
      "Ruler_Rules_Attack"
    )
  )
| eval risk_score = if(detection_type = "Ruler_Rules_Attack", 10,
    if(detection_type = "Outlook_Rule_UserDir_Exec", 9, 8))
| fields _messagetime, Computer, User, detection_type, risk_score, process_image, command_line, parent_image
| sort by risk_score, _messagetime

high severity high confidence

Data Sources

Sysmon via Sumo Logic Windows Agent Sumo Logic Cloud SIEM Enterprise normalized process events

Required Tables

WinEventLog/Sysmon os/windows/sysmon

False Positives

Email-triggered automation tools such as Power Automate Desktop or UiPath that use Outlook rules to launch RPA workflows and may spawn cmd.exe or PowerShell as part of their execution chain
Corporate help desk solutions that monitor for specific subject-line emails and invoke scripts via Outlook rules to auto-create tickets or trigger alerts
Security tools like email gateway sandboxing solutions that spawn controlled processes from Outlook as part of attachment analysis pipelines

Google Chronicle / SecOps

yaral

rule outlook_rules_persistence_t1137_005 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Outlook Rules persistence (T1137.005): Outlook spawning shell/LOLBin processes, executing binaries from user-writable paths, or Ruler tool usage for automated mailbox rule creation."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1137.005"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"

    // Detection branch 1: Outlook spawning LOLBins (rule execution via shell)
    (
      re.regex($e.principal.process.file.full_path, `(?i)outlook\.exe$`)
      and re.regex($e.target.process.file.full_path,
        `(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe$`)
    )
    or
    // Detection branch 2: Outlook spawning process from user-writable directories
    (
      re.regex($e.principal.process.file.full_path, `(?i)outlook\.exe$`)
      and re.regex($e.target.process.file.full_path,
        `(?i)\\(Users|Temp|AppData|ProgramData)\\`)
      and not re.regex($e.target.process.file.full_path,
        `(?i)\\Microsoft\\Office\\`)
    )
    or
    // Detection branch 3: Ruler attack tool
    (
      re.regex($e.target.process.file.full_path, `(?i)ruler\.exe$`)
      or (
        re.regex($e.target.process.command_line, `(?i)--rules`)
        and re.regex($e.target.process.command_line, `(?i)(ruler|add|--target)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows Endpoint telemetry via Chronicle forwarder Sysmon logs ingested to Chronicle

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Outlook-based ticketing integrations that legitimately spawn PowerShell or cmd.exe to process incoming email events according to subject-line rules in enterprise ITSM environments
Email-driven CI/CD or DevOps notification systems that use Outlook rules to trigger build scripts or deployment notifications via command execution
Authorized red team or penetration testing engagements using Ruler against Exchange Online or on-premises Exchange in the organization's environment

CrowdStrike LogScale (CQL)

cql

// T1137.005 — Outlook Rules Persistence
// Branch 1: Outlook spawning LOLBin or shell interpreters
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^outlook\.exe$/
| FileName = /(?i)^(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe$/
| eval DetectionType = "Outlook_Rule_Shell_Spawn"
| eval RiskScore = 8
| table([@timestamp, ComputerName, UserName, DetectionType, RiskScore, FileName, CommandLine, ParentBaseFileName, ParentCommandLine])

// Branch 2: Outlook launching process from user-writable locations
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^outlook\.exe$/
| ImageFileName = /(?i)\\(Users|Temp|AppData|ProgramData)\\/
| ImageFileName != /(?i)\\Microsoft\\Office\\/
| eval DetectionType = "Outlook_Rule_UserDir_Exec"
| eval RiskScore = 9
| table([@timestamp, ComputerName, UserName, DetectionType, RiskScore, FileName, CommandLine, ImageFileName, ParentBaseFileName])

// Branch 3: Ruler attack tool for mailbox rule manipulation
#event_simpleName=ProcessRollup2
| case {
    FileName = /(?i)^ruler\.exe$/ | eval DetectionType = "Ruler_Rules_Attack", RiskScore = 10;
    CommandLine = /(?i)--rules/ AND CommandLine = /(?i)(ruler|add|--target)/ | eval DetectionType = "Ruler_Rules_Attack", RiskScore = 10
  }
| table([@timestamp, ComputerName, UserName, DetectionType, RiskScore, FileName, CommandLine, ParentBaseFileName])

// Aggregate and sort all branches
| groupBy([ComputerName, UserName, DetectionType, FileName, CommandLine], function=[
    min(RiskScore, as=risk_score),
    count(as=event_count),
    min(@timestamp, as=first_seen),
    max(@timestamp, as=last_seen)
  ])
| sort(risk_score, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events) Falcon Data Replicator (FDR) Falcon LogScale via Falcon SIEM Connector

Required Tables

ProcessRollup2

False Positives

Outlook-connected telephony or unified communications platforms (e.g., Cisco Jabber, Teams Phone) that use rules to spawn helper executables when voicemail-to-email messages arrive
Enterprise document management integrations (e.g., SharePoint connector, DocuSign) that spawn processes from AppData directories when triggered by specific email subjects via Outlook rules
Authorized purple team or red team exercises where Ruler is used to test detection coverage of Exchange mailbox rule abuse in controlled lab or production-equivalent test environments

Outlook Rules

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections