Outlook Rules

Information

• Name: Outlook Rules

• ID: T1137.005

• Tactics: TA0003

• Technique: T1137

Introduction

Outlook Rules [T1137.005] is a sub-technique within the MITRE ATT&CK framework under the "Office Application Startup" technique (T1137). Attackers leverage Microsoft Outlook rules to achieve persistence and maintain access to compromised environments. Outlook rules, typically used to automate email organization and management tasks, can be maliciously configured to execute arbitrary commands, scripts, or launch malicious payloads upon receiving specific email triggers or conditions.

Deep Dive Into Technique

Attackers exploit Outlook's built-in rules feature, which allows users to automate email handling based on specific criteria (sender, subject, keywords, attachments). By creating or modifying Outlook rules, adversaries can trigger malicious actions such as:

• Launching malicious scripts or executables when emails with specific attributes are received.

• Forwarding sensitive or confidential emails automatically to attacker-controlled email addresses.

• Automatically deleting or hiding suspicious emails to evade detection and incident response measures.

• Executing PowerShell or command-line scripts embedded within Outlook rules to download secondary payloads or establish command-and-control (C2) channels.

Technical mechanisms include:

• Outlook rule actions such as "run a script," "start application," or "forward email" that can be configured maliciously.

• Manipulation of rules stored within the user's mailbox (Exchange Server) or local Outlook client (PST/OST files).

• Utilizing Outlook COM objects or scripting interfaces to automate rule creation silently.

Real-world procedures attackers use:

• Phishing emails containing malicious attachments or links designed to execute scripts that create Outlook rules upon execution.

• Compromised user credentials leveraged to remotely configure Outlook rules via Exchange Web Services (EWS) or Outlook Web Access (OWA).

• Malicious VBA macros embedded in Office documents, which, when opened, automatically create persistent Outlook rules.

When this Technique is Usually Used

Attack scenarios and stages where Outlook Rules [T1137.005] commonly appear include:

• Persistence Stage:

  • Attackers establish long-term persistence by creating Outlook rules that trigger upon receiving specific emails or conditions, allowing continuous access or command execution.

  • Outlook rules persist even after system reboots, making them reliable persistence mechanisms.

• Data Exfiltration Stage:

  • Automatically forwarding emails containing sensitive information or credentials to attacker-controlled email addresses.

  • Triggering scripts or commands to silently export and exfiltrate mailbox contents.

• Defense Evasion Stage:

  • Rules configured to automatically delete or move emails containing security alerts or suspicious activity notifications, preventing detection by security teams.

  • Email filtering rules that hide attacker-related communications or activity.

• Command and Control Stage:

  • Using Outlook rules to trigger commands or scripts upon receiving specially crafted emails, enabling attackers to remotely control compromised systems without direct network connections.

How this Technique is Usually Detected

Detection methods, tools, and indicators of compromise (IoCs) include:

• Monitoring Outlook Rule Creation and Modification:

  • Using Endpoint Detection and Response (EDR) tools to detect unusual Outlook rule creations or modifications.

  • Checking Exchange Server or Office 365 audit logs for suspicious rule-related events.

• Analyzing Outlook Rule Conditions and Actions:

  • Regularly reviewing Outlook rules for suspicious conditions (e.g., specific keywords, external senders) and actions (e.g., launching scripts, forwarding emails externally).

  • Utilizing scripts or automated tools like PowerShell scripts or Exchange Management Shell commands to periodically audit Outlook rules across the organization.

• Endpoint and Network Indicators:

  • Suspicious scripts or executables triggered by Outlook processes.

  • Unusual network traffic or connections initiated by Outlook processes to external IP addresses or domains.

  • Unexpected email forwarding patterns to external domains or unknown addresses.

• Behavioral Analytics and SIEM Integration:

  • Integrating Outlook and Exchange logs into Security Information and Event Management (SIEM) systems to identify anomalies or suspicious rule-related activities.

  • Alerting on unusual email activity patterns, such as automated forwarding to external domains or repeated script executions triggered by email events.

Why it is Important to Detect This Technique

Detecting malicious Outlook rules early is critical due to the following impacts on systems and networks:

• Data Exfiltration and Loss:

  • Malicious rules can automatically forward sensitive emails, intellectual property, or confidential data externally, leading to significant data breaches.

• Long-Term Persistence and Stealth:

  • Outlook rules can remain unnoticed for extended periods, providing attackers persistent and stealthy access to compromised environments.

  • Attackers can continuously execute commands, scripts, or payloads, maintaining a foothold even after initial infection vectors are remediated.

• Defense Evasion and Reduced Visibility:

  • Rules configured to automatically delete or hide security alerts, incident notifications, or suspicious emails impede incident response and forensic investigations.

  • Attackers gain the ability to conceal their activities and evade detection, prolonging compromise duration.

• Potential for Lateral Movement and Escalation:

  • Attackers leveraging Outlook rules may use compromised email accounts to spread malicious payloads internally or entice other users into providing credentials or opening malicious attachments.

  • Automated email-based attacks facilitated by Outlook rules can accelerate lateral movement and increase overall organizational risk.

Early detection and response significantly reduce the potential damage, limit attacker persistence, and enhance overall organizational security posture.

Examples

Real-world examples demonstrating the use of Outlook Rules [T1137.005]:

• APT33 (Elfin):

  • Iranian threat group APT33 leveraged malicious Outlook rules to maintain persistence within targeted organizations.

  • Malicious rules were configured to automatically launch PowerShell scripts embedded within emails received from attacker-controlled email addresses, enabling persistent command-and-control channels.

• Operation Cobalt Kitty:

  • Attackers utilized malicious Outlook rules to automatically forward sensitive emails containing confidential information and credentials to external attacker-controlled mailboxes.

  • Rules were also configured to delete forwarded emails to conceal data exfiltration activities from targeted users.

• FIN7 Cybercrime Group:

  • FIN7 actors delivered malicious documents containing macros that, once executed, created Outlook rules designed to automatically launch additional malware payloads upon receiving specifically crafted emails.

  • This allowed FIN7 to maintain persistent and stealthy access within compromised environments, facilitating further exploitation and financial fraud.

• Phishing Campaigns and Business Email Compromise (BEC):

  • Attackers frequently use compromised email accounts to create Outlook rules that automatically forward sensitive business communications or invoices to attacker-controlled external addresses.

  • Rules may also delete or archive forwarded emails to evade detection, enabling attackers to intercept critical business communications and facilitate financial fraud.

In these scenarios, attackers typically leverage combinations of phishing, social engineering, and malware delivery methods to establish malicious Outlook rules, enabling persistent access, stealthy data exfiltration, and ongoing compromise of targeted organizations.