Microsoft Outlook

An unknown threat actor gained continuous administrative access to a senior finance executive's Microsoft Outlook mailbox at a global stock exchange for at least five months, deploying custom infostealers via scheduled tasks and exfiltrating sensitive emails through a Dropbox-based command and control channel after an initial lateral movement event.

The Russian hacker group Secret Blizzard has evolved the Kazuar backdoor into a modular P2P botnet designed for persistence, stealth, and data collection, utilizing kernel, bridge, and worker modules for command and control and data exfiltration.

This rule identifies suspicious child processes of Microsoft Office applications on macOS, which often result from exploitation or malicious macros, by detecting unexpected processes like curl, bash, osascript, and python spawned by Office apps, while filtering out false positives related to product version discovery, error reporting, and legitimate software.

TCLBanker is a banking trojan targeting 59 financial platforms, spreading via trojanized Logitech AI Prompt Builder installers and worm modules for WhatsApp and Outlook, enabling remote control and data theft.

Attackers modify Outlook security settings via registry changes to enable malicious mail rules and bypass security controls, potentially leading to persistence and data compromise.

Detection of suspicious child processes spawned by Microsoft Outlook, indicative of spear phishing and malicious file execution leading to potential initial access and further exploitation.