Microsoft Outlook VBA Template Persistence
Attackers establish persistence by installing a malicious VBA template in Microsoft Outlook, triggering scripts upon application startup by modifying the VBAProject.OTM file.
Attackers are known to exploit Microsoft Outlook's VBA scripting capabilities to establish persistence on compromised systems. This involves installing rogue VBA templates, which contain malicious scripts, within the Outlook environment. These scripts are designed to automatically execute when Outlook starts, providing a persistent foothold for the attacker. The technique focuses on modifying the VbaProject.OTM file, which stores VBA project data for Outlook. This activity allows the attacker to maintain long-term access and potentially execute further malicious actions. The technique can be detected by monitoring file modifications to the VbaProject.OTM file.
Attack Chain
- The attacker gains initial access to the target system (e.g., via compromised credentials or other means).
- The attacker crafts a malicious VBA script designed to perform actions such as downloading and executing additional payloads.
- The attacker modifies the
VbaProject.OTMfile, either by directly overwriting it or injecting malicious code. - The modified
VbaProject.OTMfile is saved in the user's Outlook profile directory (e.g.,C:\Users\<user>\AppData\Roaming\Microsoft\Outlook\). - The attacker ensures that Outlook is restarted or instructs the victim to restart Outlook.
- Upon Outlook startup, the VBA script within
VbaProject.OTMis automatically executed. - The malicious VBA script connects to an external command-and-control (C2) server to download a secondary payload.
- The secondary payload is executed, allowing the attacker to perform actions such as data exfiltration or lateral movement.
Impact
Successful exploitation allows attackers to maintain persistent access to the compromised system. The injected VBA code can perform a variety of malicious actions, including data exfiltration, credential theft, and lateral movement within the network. The technique can lead to significant data breaches and financial losses. Although the exact number of victims is not specified, this persistence technique is applicable across organizations that heavily rely on Microsoft Outlook.
Recommendation
- Monitor file modifications to
VbaProject.OTMin user profile directories. Deploy the Sigma ruleOutlook VBA Project Modificationto detect suspicious changes. - Implement application control or whitelisting to restrict unauthorized modifications to Outlook VBA files.
- Enable Sysmon file creation and modification logging to activate the rules above.
- Regularly review and audit Outlook VBA settings to identify and remove any unauthorized or malicious scripts.
Detection coverage 2
Outlook VBA Project Modification
mediumDetects modification of the Outlook VBA project file, indicating potential VBA macro-based persistence.
Suspicious Process Modifying Outlook VBA Project
mediumDetects processes not typically associated with Outlook modifying the VBA project file.
Detection queries are available on the platform. Get full rules →