Detect Outlook Rules in Splunk
Adversaries abuse Microsoft Outlook rules to achieve persistence and execute code. Malicious inbox rules can be configured to run a script or application when a specially crafted email is received. Rules are stored in the mailbox and persist across Outlook restarts and even OS reinstalls. The Ruler tool automates creation of malicious rules. Hidden inbox rules (stored without display names) are particularly stealthy.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Sub-technique
- T1137.005 Outlook Rules
- Canonical reference
- https://attack.mitre.org/techniques/T1137/005/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval detection_type=case(
match(ParentImage, "(?i)outlook\.exe") AND
match(Image, "(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe"),
"Outlook_Rule_Shell_Spawn",
match(ParentImage, "(?i)outlook\.exe") AND
match(Image, "(?i)\\\\(Users|Temp|AppData|ProgramData)\\\\") AND
NOT match(Image, "(?i)Microsoft\\\\Office"),
"Outlook_Rule_UserDir_Exec",
(match(CommandLine, "(?i)--rules") OR match(Image, "(?i)ruler\.exe")),
"Ruler_Rules_Detected",
true(), null()
)
| where isnotnull(detection_type)
| eval risk_score=case(
detection_type="Outlook_Rule_Shell_Spawn", 8,
detection_type="Outlook_Rule_UserDir_Exec", 9,
detection_type="Ruler_Rules_Detected", 10,
true(), 5
)
| table _time, host, User, detection_type, risk_score, Image, CommandLine, ParentImage, ParentCommandLine
| sort - risk_score, - _timeDetects Outlook Rules persistence via Sysmon EventCode 1. Assigns risk scores: Outlook spawning shell interpreters (score 8), Outlook running executables from user directories (score 9), and Ruler tool detection (score 10). Sorted by risk score to prioritize highest-fidelity alerts. The Ruler tool score of 10 reflects its near-exclusive use for malicious purposes.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate organizational VBScript rules triggered by Outlook for workflow automation
- IT automation tools launched by Outlook rules for ticket/incident management
- Email-triggered scripts for compliance archiving systems
Other platforms for T1137.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Outlook Inbox Rule via PowerShell (Exchange)
Expected signal: Security Event ID 4624 for Exchange PowerShell authentication. Office 365 Unified Audit Log: Operation=New-InboxRule with RunScript action. Sysmon EventCode 3 network connection to Exchange Online.
- Test 2Enumerate Inbox Rules for Hidden/Suspicious Entries
Expected signal: Sysmon EventCode 1 with powershell.exe executing Get-InboxRule. Exchange EWS audit log showing mailbox access from local machine.
- Test 3Test Ruler Tool Detection (Simulated Command)
Expected signal: Sysmon EventCode 1 with cmd.exe process. For actual Ruler execution: Image=ruler.exe, CommandLine containing '--rules' and '--trigger'. Sysmon EventCode 3 connection to Exchange EWS.
References (6)
- https://attack.mitre.org/techniques/T1137/005/
- https://silentbreaksecurity.com/malicious-outlook-rules/
- https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
- https://github.com/sensepost/ruler
- https://github.com/sensepost/notruler
- https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
Unlock Pro Content
Get the full detection package for T1137.005 including response playbook, investigation guide, and atomic red team tests.