title: Outlook Rules (T1137.005)
id: df00tech-t1137-005
status: experimental
description: Adversaries abuse Microsoft Outlook rules to achieve persistence and execute code. Malicious inbox rules can be configured to run a script or application when a specially crafted email is received. Rules are stored in the mailbox and persist across Outlook restarts and even OS reinstalls. The Ruler tool automates creation of malicious rules. Hidden inbox rules (stored without display names) are particularly stealthy.
references:
  - https://attack.mitre.org/techniques/T1137/005/
  - https://df00tech.com/detections/T1137.005
author: df00tech
date: 2026/04/19
tags:
  - attack.t1137.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate Outlook rules that run VBScripts for custom email processing (some organizations use this for compliance or workflow automation)
  - IT-managed rules that launch specific applications when trigger emails are received
  - Help desk automation scripts triggered by Outlook rules for ticket creation
  - Outlook integration with corporate workflow systems that respond to specially formatted emails
level: high