title: Outlook Forms (T1137.003)
id: df00tech-t1137-003
status: experimental
description: "Adversaries abuse Microsoft Outlook custom forms to achieve persistence. Custom forms are stored in the user's mailbox and are loaded when Outlook starts. A malicious form containing VBScript or JScript executes when an adversary sends a specially crafted email to the victim. The Ruler tool automates this technique. Forms are stored in the mailbox itself, making them invisible to standard endpoint file monitoring and surviving OS reinstalls."
references:
  - https://attack.mitre.org/techniques/T1137/003/
  - https://df00tech.com/detections/T1137.003
author: df00tech
date: 2026/04/18
tags:
  - attack.t1137.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate Outlook add-ins or plugins that spawn helper processes (e.g., CRM integrations, document management systems)"
  - IT helpdesk tools that connect to Exchange via Outlook for automation purposes
  - Security awareness training platforms that send test phishing emails (should not cause child processes in normal operation)
  - "Outlook integration with Teams, Slack, or other collaboration tools spawning child processes for notifications"
level: high