Outlook Home Page Registry Modification for Command and Control or Persistence
Attackers abuse the Outlook Home Page functionality by modifying specific registry keys to point to attacker-controlled URLs or file paths, enabling command and control or persistence on compromised Windows systems.
Attackers are leveraging the Outlook Home Page feature to establish command and control or persistence on compromised Windows systems. This involves modifying specific registry keys associated with the Outlook Webview or Today page settings to point to malicious URLs, local HTML files, or UNC paths. The attack relies on manipulating these settings to redirect Outlook to attacker-controlled content, enabling the execution of arbitrary code or the establishment of a persistent foothold. The scope of this activity is potentially broad, affecting any Windows system where Outlook is used. The technique is described in detail in public sources, including a Google Cloud blog post and the Specula tool documentation.
Attack Chain
- The attacker gains initial access to the target system, potentially through phishing or exploitation of other vulnerabilities.
- The attacker obtains the necessary privileges to modify the Windows Registry, typically requiring administrator-level access.
- The attacker identifies the specific registry keys related to the Outlook Home Page settings, located under
HKCU\SOFTWARE\Microsoft\Office\*\Outlook\Webview\orHKCU\SOFTWARE\Microsoft\Office\*\Outlook\Today\. - The attacker modifies the
URLvalue within these registry keys to point to an attacker-controlled URL, a local HTML file (e.g.,C:\Users\<user>\AppData\Local\Temp\evil.html), or a UNC path (e.g.,\\attacker.example.com\share\evil.html). - When Outlook is opened or the Today page is accessed, Outlook attempts to render the content specified by the modified registry key.
- If the target is a URL, Outlook makes an HTTP request to the attacker's server, potentially revealing information about the victim system or allowing the attacker to deliver malicious content.
- If the target is a local HTML file or a UNC path, Outlook renders the HTML content, which may contain malicious JavaScript code that executes on the victim system.
- The attacker achieves command and control or persistence by executing arbitrary code on the victim system via the malicious content delivered through the Outlook Home Page.
Impact
Successful exploitation allows attackers to establish command and control over the compromised system, potentially enabling data exfiltration, lateral movement, or the deployment of ransomware. The attacker can maintain persistence even after system reboots by leveraging the modified registry keys. This can lead to significant data loss, financial damage, and reputational harm to the targeted organization. The number of victims and sectors targeted is currently unknown, but any organization using Outlook on Windows is potentially at risk.
Recommendation
- Enable Sysmon registry event logging to monitor registry modifications and activate the rule
Outlook Home Page Registry Modificationto detect suspicious changes to Outlook Home Page registry keys. - Investigate any alerts generated by the
Outlook Home Page Registry Modificationrule, focusing on the process writing the registry key and the target URL or file path specified in the registry data. - Implement network monitoring to detect outbound connections to suspicious domains or IPs referenced in the registry data (see references for examples).
- Block access to known malicious domains and IPs associated with this attack technique at the network perimeter (see references).
- Review and restrict the use of Outlook Home Page functionality within the organization to minimize the attack surface.
Detection coverage 2
Outlook Home Page Registry Modification
highDetects modifications to registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence.
Suspicious Process Modifying Outlook Home Page Registry
mediumDetects processes not typically associated with Outlook administration modifying Outlook Home Page registry keys.
Detection queries are available on the platform. Get full rules →