Suspicious Microsoft Outlook Child Processes
Detects suspicious child processes spawned by Microsoft Outlook, commonly associated with spear phishing attacks and the execution of malicious payloads.
This rule identifies suspicious child processes of Microsoft Outlook, a common indicator of spear phishing campaigns. Attackers often use malicious attachments or embedded links in phishing emails to trigger the execution of malicious code when a user opens the email or attachment. This code then spawns child processes like PowerShell, cmd.exe, or other system binaries to perform further malicious activities, such as downloading malware, establishing persistence, or exfiltrating data. The rule focuses on detecting these anomalous parent-child process relationships to identify potential initial access attempts. This activity can lead to a full system compromise. This rule is designed to catch potential post-exploitation activity originating from compromised email clients and is applicable to a wide range of Windows environments.
Attack Chain
- A user receives a spear phishing email with a malicious attachment (e.g., a Word document with a malicious macro).
- The user opens the attachment in Microsoft Outlook, triggering the execution of the embedded malicious code (e.g., VBA macro).
- The malicious code executes and spawns a child process, such as
powershell.exe,cmd.exe, ormshta.exe, fromoutlook.exe. - The child process executes a command to download a malicious payload from a remote server.
- The downloaded payload is saved to disk and executed, establishing persistence using techniques like registry modification or scheduled tasks.
- The malware performs reconnaissance activities, gathering information about the system and network.
- The malware establishes a command and control (C2) channel to communicate with the attacker.
- The attacker uses the C2 channel to issue commands and exfiltrate sensitive data, deploy ransomware, or perform other malicious activities.
Impact
A successful attack can lead to the compromise of the user's system, potentially granting the attacker access to sensitive data, credentials, and other resources on the network. This can result in data breaches, financial losses, reputational damage, and disruption of business operations. While the number of impacted users is variable, successful exploitation can lead to wider network compromise impacting numerous systems.
Recommendation
- Deploy the Sigma rule
Suspicious Outlook Child Process - Command Interpreterto your SIEM to detect command interpreters spawned by Outlook, and tune for your environment. - Deploy the Sigma rule
Suspicious Outlook Child Process - System Binaryto your SIEM to detect system binaries spawned by Outlook, and tune for your environment. - Enable process creation logging with command line arguments via Windows Security Event Logs or Sysmon to provide visibility for the Sigma rules.
- Monitor for the execution of processes listed in the Sigma rules (
powershell.exe,cmd.exe,mshta.exe, etc.) withoutlook.exeas the parent process. - Implement email security measures, such as spam filtering and anti-phishing training, to reduce the risk of users receiving malicious emails.
Detection coverage 2
Suspicious Outlook Child Process - Command Interpreter
highDetects command interpreters (cmd.exe, powershell.exe, wscript.exe, cscript.exe) spawned by Outlook, which is indicative of potential phishing or malware activity.
Suspicious Outlook Child Process - System Binary
mediumDetects specific system binaries (mshta.exe, regsvr32.exe, installutil.exe) spawned by Outlook, which can indicate exploitation attempts.
Detection queries are available on the platform. Get full rules →