Outlook Security Settings Registry Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 18:15:00 +0000

Attackers are known to modify Outlook security settings by directly manipulating registry values. This tactic allows them to bypass built-in security controls and enable potentially malicious functionalities such as running unsafe mail client rules. This circumvention of security measures can be leveraged for various malicious purposes, including persistence, data exfiltration, and further compromise of the victim’s system. The specific registry keys targeted reside under \SOFTWARE\Microsoft\Office\Outlook\Security\. This technique has been observed in various attack scenarios and poses a significant risk to organizations relying on Outlook for email communication. The modification of these registry settings may be performed by various means, ranging from manually executed commands to automated scripts deployed as part of a larger attack campaign.

Attack Chain

An attacker gains initial access to the system through methods such as phishing or exploiting vulnerabilities.
The attacker establishes persistence on the compromised system.
The attacker identifies the specific registry keys controlling Outlook security settings, located under \SOFTWARE\Microsoft\Office\Outlook\Security\.
The attacker uses a command-line tool or script (e.g., reg.exe, PowerShell) to modify the registry values related to Outlook security settings.
Specifically, values are modified to enable the execution of “unsafe” mail client rules, potentially allowing arbitrary code execution via crafted emails.
The attacker crafts a malicious email designed to trigger the newly enabled, unsafe mail rules.
Upon receiving the email, Outlook processes the rules, executing the attacker’s payload.
The attacker achieves code execution, enabling further malicious activities, such as data exfiltration or lateral movement within the network.

Impact

Successful modification of Outlook security settings allows attackers to execute arbitrary code within the context of the user account running Outlook. This can lead to the compromise of sensitive information contained within emails, the installation of malware, and further propagation of the attack throughout the organization. The scope of the impact depends on the privileges of the user account and the attacker’s objectives, potentially affecting all users within an organization if the attacker gains domain administrator access.

Recommendation

Deploy the Sigma rule “Outlook Security Settings Updated - Registry” to your SIEM to detect unauthorized modifications to Outlook security-related registry keys (logsource: registry_set/windows).
Monitor process creation events for suspicious processes (e.g., reg.exe, powershell.exe) modifying registry keys under \SOFTWARE\Microsoft\Office\Outlook\Security\ (Sigma rule below, logsource: process_creation/windows).
Implement strict application control policies to prevent unauthorized execution of scripts and executables that could be used to modify registry settings.

Suspicious MS Outlook Child Process

hello@craftedsignal.io — Tue, 02 Jan 2024 10:00:00 +0000

This detection identifies suspicious child processes of Microsoft Outlook, often associated with spear phishing activity and the execution of malicious attachments. Attackers may leverage malicious documents delivered via email to execute arbitrary code on a victim’s machine. The rule focuses on identifying processes such as cmd.exe, powershell.exe, and other system binaries being spawned by Outlook, suggesting the potential execution of malicious attachments or exploitation for initial access. This activity is designed to bypass traditional security measures and gain an initial foothold within the targeted environment. The rule is designed for data generated by Elastic Defend, but also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.

Attack Chain

A user receives a spear phishing email with a malicious attachment (e.g., a Microsoft Office document or PDF).
The user opens the attachment, unknowingly triggering embedded malicious code (e.g., macros or exploits).
The malicious code executes within the context of Microsoft Outlook (outlook.exe).
The malicious code spawns a suspicious child process, such as cmd.exe, powershell.exe, mshta.exe, or wscript.exe.
The spawned process executes commands to download and execute further malicious payloads from external sources.
The downloaded payload establishes persistence on the compromised system.
The attacker gains initial access and begins reconnaissance activities.
The attacker moves laterally within the network, escalating privileges and compromising additional systems.

Impact

A successful attack can lead to initial access, allowing attackers to gain a foothold within the network, escalate privileges, and potentially exfiltrate sensitive data, deploy ransomware, or conduct other malicious activities. While specific victim counts and sectors are unavailable, similar attacks have targeted a wide range of industries.

Recommendation

Deploy the Sigma rule “Suspicious MS Outlook Child Process Spawning Command Interpreter” to your SIEM to detect potential initial access attempts (see rule below).
Enable Sysmon process creation logging (Event ID 1) to provide the necessary data for the Sigma rules.
Block the execution of commonly abused system binaries (e.g., cmd.exe, powershell.exe, wscript.exe) as child processes of Outlook using application control policies where possible.
Implement and enforce strict macro policies in Microsoft Office applications to prevent the execution of malicious code within documents.
Regularly review and update email security policies to prevent spear phishing emails from reaching users.

Microsoft Outlook — CraftedSignal Threat Feed

Outlook Security Settings Registry Modification

Attack Chain

Impact

Recommendation

Suspicious MS Outlook Child Process

Attack Chain

Impact

Recommendation