T1137.005 IBM QRadar · QRadar

Detect Outlook Rules in IBM QRadar

Adversaries abuse Microsoft Outlook rules to achieve persistence and execute code. Malicious inbox rules can be configured to run a script or application when a specially crafted email is received. Rules are stored in the mailbox and persist across Outlook restarts and even OS reinstalls. The Ruler tool automates creation of malicious rules. Hidden inbox rules (stored without display names) are particularly stealthy.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.005 Outlook Rules
Canonical reference
https://attack.mitre.org/techniques/T1137/005/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "sourceip",
  QIDNAME(qid) AS event_name,
  "EventID",
  "ParentProcessName",
  "ProcessName",
  "CommandLine",
  CASE
    WHEN LOWER("ParentProcessName") LIKE '%outlook.exe%'
      AND LOWER("ProcessName") MATCHES '(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe'
      THEN 'Outlook_Rule_Shell_Spawn'
    WHEN LOWER("ParentProcessName") LIKE '%outlook.exe%'
      AND (LOWER("ProcessName") LIKE '%\users\%'
           OR LOWER("ProcessName") LIKE '%\temp\%'
           OR LOWER("ProcessName") LIKE '%\appdata\%'
           OR LOWER("ProcessName") LIKE '%\programdata\%')
      AND LOWER("ProcessName") NOT LIKE '%microsoft\office%'
      THEN 'Outlook_Rule_UserDir_Exec'
    WHEN LOWER("ProcessName") LIKE '%ruler.exe%'
      OR (LOWER("CommandLine") LIKE '%--rules%' AND LOWER("CommandLine") LIKE '%-target%')
      THEN 'Ruler_Rules_Attack'
    ELSE NULL
  END AS detection_type,
  CASE
    WHEN LOWER("ParentProcessName") LIKE '%outlook.exe%'
      AND LOWER("ProcessName") MATCHES '(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe'
      THEN 8
    WHEN LOWER("ParentProcessName") LIKE '%outlook.exe%'
      AND (LOWER("ProcessName") LIKE '%\users\%' OR LOWER("ProcessName") LIKE '%\appdata\%')
      THEN 9
    WHEN LOWER("ProcessName") LIKE '%ruler.exe%' THEN 10
    ELSE 5
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND ("EventID" = 1 OR "EventID" = 4688)
  AND LAST 24 HOURS
  AND (
    (LOWER("ParentProcessName") LIKE '%outlook.exe%')
    OR LOWER("ProcessName") LIKE '%ruler.exe%'
    OR (LOWER("CommandLine") LIKE '%--rules%' AND LOWER("CommandLine") LIKE '%ruler%')
  )
  AND detection_type IS NOT NULL
ORDER BY risk_score DESC, event_time DESC
high severity medium confidence

QRadar AQL query detecting Outlook Rules persistence by correlating process creation events (Sysmon EID 1 or Security EID 4688) where Outlook spawns shell interpreters, executes binaries from user-writable paths, or where the Ruler attack tool is used to manipulate mailbox rules.

Data Sources

Microsoft Windows Security Event Log (QRadar DSM)Sysmon log source (QRadar DSM)Microsoft Sysmon via Universal DSM

Required Tables

events

False Positives & Tuning

  • Outlook-integrated document management systems that spawn helper processes when emails with specific subjects are received and processed by workflow automation rules
  • Corporate unified communications platforms that use Outlook rules to trigger notifications via cmd.exe or PowerShell wrappers
  • Penetration testing engagements where the Ruler tool is used in authorized red team exercises against the organization's Exchange environment
Download portable Sigma rule (.yml)

Other platforms for T1137.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious Outlook Inbox Rule via PowerShell (Exchange)

    Expected signal: Security Event ID 4624 for Exchange PowerShell authentication. Office 365 Unified Audit Log: Operation=New-InboxRule with RunScript action. Sysmon EventCode 3 network connection to Exchange Online.

  2. Test 2Enumerate Inbox Rules for Hidden/Suspicious Entries

    Expected signal: Sysmon EventCode 1 with powershell.exe executing Get-InboxRule. Exchange EWS audit log showing mailbox access from local machine.

  3. Test 3Test Ruler Tool Detection (Simulated Command)

    Expected signal: Sysmon EventCode 1 with cmd.exe process. For actual Ruler execution: Image=ruler.exe, CommandLine containing '--rules' and '--trigger'. Sysmon EventCode 3 connection to Exchange EWS.

Last updated: 2026-04-19 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1137.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.002Office TestT1137.003Outlook FormsT1137.004Outlook Home PageT1137.006Add-ins

Related Techniques

T1137Office Application StartupT1137.003Outlook FormsT1137.004Outlook Home PageT1114.002Remote Email CollectionT1078Valid AccountsT1021.006Windows Remote Management

Same Tactic: Persistence

Popular Detections