Sigma
Sigma rules for CVE-2002-2100
15 rules · scoped to cve · back to CVE-2002-2100
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
◈
Detection rules
15 of 15
direct
high
Suspicious File Created in Outlook Temporary Directory
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
view Sigma YAML
title: Suspicious File Created in Outlook Temporary Directory
id: fabb0e80-030c-4e3e-a104-d09676991ac3
related:
- id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
type: obsolete
status: experimental
description: |
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
references:
- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-22
tags:
- attack.initial-access
- attack.t1566.001
logsource:
product: windows
category: file_event
detection:
selection_extension:
TargetFilename|endswith:
- '.cpl'
- '.hta'
- '.iso'
- '.rdp'
- '.svg'
- '.vba'
- '.vbe'
- '.vbs'
selection_location:
- TargetFilename|contains:
- '\AppData\Local\Packages\Microsoft.Outlook_'
- '\AppData\Local\Microsoft\Olk\Attachments\'
- TargetFilename|contains|all:
- '\AppData\Local\Microsoft\Windows\'
- '\Content.Outlook\'
condition: all of selection_*
falsepositives:
- Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments
level: high
direct
high
Suspicious Outlook Macro Created
Detects the creation of a macro file for Outlook.
view Sigma YAML
title: Suspicious Outlook Macro Created
id: 117d3d3a-755c-4a61-b23e-9171146d094c
related:
- id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
- https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
filter:
Image|endswith: '\outlook.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
direct
high
Potential Persistence Via Outlook Form
Detects the creation of a new Outlook form which can contain malicious code
view Sigma YAML
title: Potential Persistence Via Outlook Form
id: c3edc6a5-d9d4-48d8-930e-aab518390917
status: test
description: Detects the creation of a new Outlook form which can contain malicious code
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79
- https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form
- https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/
author: Tobias Michalski (Nextron Systems)
date: 2021-06-10
modified: 2023-02-22
tags:
- attack.persistence
- attack.t1137.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\outlook.exe'
TargetFilename|contains:
- '\AppData\Local\Microsoft\FORMS\IPM'
- '\Local Settings\Application Data\Microsoft\Forms' # Windows XP
condition: selection
falsepositives:
- Legitimate use of outlook forms
level: high
direct
high
Suspicious Execution From Outlook Temporary Folder
Detects a suspicious program execution in Outlook temp folder
view Sigma YAML
title: Suspicious Execution From Outlook Temporary Folder
id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
status: test
description: Detects a suspicious program execution in Outlook temp folder
author: Florian Roth (Nextron Systems)
references:
- Internal Research
date: 2019-10-01
modified: 2022-10-09
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: '\Temporary Internet Files\Content.Outlook\'
condition: selection
falsepositives:
- Unknown
level: high
direct
high
Suspicious Remote Child Process From Outlook
Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
view Sigma YAML
title: Suspicious Remote Child Process From Outlook
id: e212d415-0e93-435f-9e1a-f29005bb4723
related:
- id: 208748f7-881d-47ac-a29c-07ea84bf691d # Outlook Child Processes
type: similar
status: test
description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
references:
- https://github.com/sensepost/ruler
- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018-12-27
modified: 2023-02-09
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\outlook.exe'
Image|startswith: '\\\\'
condition: selection
falsepositives:
- Unknown
level: high
direct
high
Suspicious Outlook Child Process
Detects a suspicious process spawning from an Outlook process.
view Sigma YAML
title: Suspicious Outlook Child Process
id: 208748f7-881d-47ac-a29c-07ea84bf691d
related:
- id: 438025f9-5856-4663-83f7-52f878a70a50 # Office Child Processes
type: derived
- id: e212d415-0e93-435f-9e1a-f29005bb4723 # Outlook Remote Child Process
type: derived
status: test
description: Detects a suspicious process spawning from an Outlook process.
references:
- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team
date: 2022-02-28
modified: 2023-02-04
tags:
- attack.execution
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\OUTLOOK.EXE'
Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mftrace.exe'
- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- '\msdt.exe' # CVE-2022-30190
- '\mshta.exe'
- '\msiexec.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\wscript.exe'
# Several FPs with rundll32.exe
# We started excluding specific use cases and ended up commenting out the rundll32.exe sub processes completely
# - '\rundll32.exe'
# filter_outlook_photoviewer: # https://twitter.com/Luke_Hamp/status/1495919717760237568
# ParentImage|endswith: '\OUTLOOK.EXE'
# Image|endswith: '\rundll32.exe'
# CommandLine|contains: '\PhotoViewer.dll'
# filter_outlook_printattachments: # https://twitter.com/KickaKamil/status/1496238278659485696
# ParentImage|endswith: '\OUTLOOK.EXE'
# Image|endswith: '\rundll32.exe'
# CommandLine|contains|all:
# - 'shell32.dll,Control_RunDLL'
# - '\SYSTEM32\SPOOL\DRIVERS\'
condition: selection # and not 1 of filter*
falsepositives:
- Unknown
level: high
direct
high
Outlook EnableUnsafeClientMailRules Setting Enabled
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
view Sigma YAML
title: Outlook EnableUnsafeClientMailRules Setting Enabled
id: 55f0a3a1-846e-40eb-8273-677371b8d912
related:
- id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # Registry variation
type: similar
status: test
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
- https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018-12-27
modified: 2023-02-09
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '\Outlook\Security\EnableUnsafeClientMailRules'
condition: selection
falsepositives:
- Unknown
level: high
direct
high
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
view Sigma YAML
title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
id: 396ae3eb-4174-4b9b-880e-dc0364d78a19
status: test
description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
- https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-04-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Outlook\LoadMacroProviderOnBoot'
Details|contains: '0x00000001'
condition: selection
falsepositives:
- Unknown
level: high
direct
high
Potential Persistence Via Outlook Today Page
Detects potential persistence activity via outlook today page.
An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
view Sigma YAML
title: Potential Persistence Via Outlook Today Page
id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
related:
- id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
type: similar
status: test
description: |
Detects potential persistence activity via outlook today page.
An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74
- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
date: 2021-06-10
modified: 2024-08-07
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection_main:
TargetObject|contains|all:
- 'Software\Microsoft\Office\'
- '\Outlook\Today\'
selection_value_stamp:
TargetObject|endswith: '\Stamp'
Details: 'DWORD (0x00000001)'
selection_value_url:
TargetObject|endswith:
- '\URL'
- '\UserDefinedUrl'
filter_main_office:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
condition: selection_main and 1 of selection_value_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
direct
high
Potential Persistence Via Outlook Home Page
Detects potential persistence activity via outlook home page.
An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
view Sigma YAML
title: Potential Persistence Via Outlook Home Page
id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
related:
- id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
type: similar
status: test
description: |
Detects potential persistence activity via outlook home page.
An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
- https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
date: 2021-06-09
modified: 2024-08-07
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\Software\Microsoft\Office\'
- '\Outlook\WebView\'
TargetObject|endswith: '\URL'
condition: selection
falsepositives:
- Unknown
level: high
direct
high
Outlook Macro Execution Without Warning Setting Enabled
Detects the modification of Outlook security setting to allow unprompted execution of macros.
view Sigma YAML
title: Outlook Macro Execution Without Warning Setting Enabled
id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
status: test
description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Outlook\Security\Level'
Details|contains: '0x00000001' # Enable all Macros
condition: selection
falsepositives:
- Unlikely
level: high
direct
high
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
view Sigma YAML
title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
related:
- id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
type: similar
- id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation
type: similar
status: test
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
- https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Outlook\Security\EnableUnsafeClientMailRules'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
direct
medium
New Outlook Macro Created
Detects the creation of a macro file for Outlook.
view Sigma YAML
title: New Outlook Macro Created
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
related:
- id: 117d3d3a-755c-4a61-b23e-9171146d094c
type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\outlook.exe'
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
condition: selection
falsepositives:
- User genuinely creates a VB Macro for their email
level: medium
direct
medium
Microsoft VBA For Outlook Addin Loaded Via Outlook
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
view Sigma YAML
title: Microsoft VBA For Outlook Addin Loaded Via Outlook
id: 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed
status: test
description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2024-03-12
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\outlook.exe'
ImageLoaded|endswith: '\outlvba.dll'
condition: selection
falsepositives:
- Legitimate macro usage. Add the appropriate filter according to your environment
level: medium
direct
medium
Outlook Security Settings Updated - Registry
Detects changes to the registry values related to outlook security settings
view Sigma YAML
title: Outlook Security Settings Updated - Registry
id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
related:
- id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # EnableUnsafeClientMailRules
type: similar
status: test
description: Detects changes to the registry values related to outlook security settings
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md
- https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
author: frack113
date: 2021-12-28
modified: 2026-01-09
tags:
- attack.persistence
- attack.t1137
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Office\'
- '\Outlook\Security\'
filter_main_outlook:
Image|startswith:
- 'C:\Program Files\Microsoft Office\'
- 'C:\Program Files (x86)\Microsoft Office\'
Image|endswith: '\OUTLOOK.EXE'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrative activity
level: medium
Showing 1-15 of 15