Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44)
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) | Attack Pattern | Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44) | Attack Pattern | 1 |