title: Outlook Home Page (T1137.004)
id: df00tech-t1137-004
status: experimental
description: "Adversaries abuse Microsoft Outlook's Home Page feature to load a malicious HTML/script page in the Outlook folder view, achieving persistent code execution whenever the affected folder is opened. The Home Page URL is stored in the user's mailbox, making it invisible to standard file monitoring. OilRig (APT34) has abused this technique along with CVE-2017-11774 to bypass Home Page restrictions. The Ruler tool automates both installation and triggering."
references:
  - https://attack.mitre.org/techniques/T1137/004/
  - https://df00tech.com/detections/T1137.004
author: df00tech
date: 2026/04/19
tags:
  - attack.t1137.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - SharePoint or intranet portals configured as legitimate Outlook folder home pages by IT administrators
  - Corporate Outlook customizations that load internal web dashboards in folder view
  - OWA (Outlook Web Access) client features that legitimately trigger browser-related processes
  - IT ticketing integrations that use Outlook Home Page to display ticket status within the email client
level: high