{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/outlook/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Outlook"],"_cs_severities":["medium"],"_cs_tags":["persistence","vba","outlook","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can leverage Microsoft Outlook\u0026rsquo;s VBA scripting capabilities to establish persistence on compromised systems. This is achieved by installing malicious VBA templates within the Outlook environment. These templates are designed to execute upon application startup, granting the attacker sustained access and control. The attack centers around unauthorized modifications to the \u003ccode\u003eVbaProject.OTM\u003c/code\u003e file, a critical component for VBA script storage in Outlook. This technique allows threat actors to maintain a foothold even after system restarts or user logoffs. Defenders need to monitor for suspicious changes to this file to identify and mitigate potential compromises.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system, potentially through phishing or other social engineering methods (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a user with Microsoft Outlook installed and running on a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or replaces the existing \u003ccode\u003eVbaProject.OTM\u003c/code\u003e file located in the user\u0026rsquo;s Outlook profile (\u003ccode\u003eC:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe modified \u003ccode\u003eVbaProject.OTM\u003c/code\u003e file contains malicious VBA code designed to execute when Outlook starts.\u003c/li\u003e\n\u003cli\u003eThe victim launches Microsoft Outlook.\u003c/li\u003e\n\u003cli\u003eThe malicious VBA code within \u003ccode\u003eVbaProject.OTM\u003c/code\u003e executes automatically upon Outlook startup, establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe VBA script can perform various malicious actions, such as downloading and executing additional payloads, establishing command and control, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to persistent access to the compromised system, allowing attackers to steal sensitive information, deploy ransomware, or use the system as a staging ground for further attacks within the network. The number of victims and specific sectors targeted depends on the attacker\u0026rsquo;s objectives and scope of the campaign. If the attack succeeds, an attacker could gain complete control over the user\u0026rsquo;s email account and associated data, leading to significant data breaches and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Outlook VBA Template Modification\u003c/code\u003e to your SIEM to identify unauthorized modifications to the \u003ccode\u003eVbaProject.OTM\u003c/code\u003e file based on file creation events.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging (Event ID 11) to activate the \u003ccode\u003eDetect Outlook VBA Template Modification\u003c/code\u003e rule.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict unauthorized modifications to Outlook VBA files as described in the \u0026ldquo;Response and remediation\u0026rdquo; section of the source.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events related to \u003ccode\u003eVbaProject.OTM\u003c/code\u003e in the specified paths (\u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\u003c/code\u003e) as highlighted in the rule query.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-outlook-vba-persistence/","summary":"Attackers establish persistence by installing a malicious VBA template in Microsoft Outlook, triggering scripts upon application startup by modifying the VBAProject.OTM file, detected by monitoring for unauthorized file modifications.","title":"Persistence via Malicious Microsoft Outlook VBA Template","url":"https://feed.craftedsignal.io/briefs/2024-01-outlook-vba-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Outlook"],"_cs_severities":["medium"],"_cs_tags":["persistence","registry_modification","outlook","email"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are known to modify Outlook security settings by directly manipulating registry values. This tactic allows them to bypass built-in security controls and enable potentially malicious functionalities such as running unsafe mail client rules. This circumvention of security measures can be leveraged for various malicious purposes, including persistence, data exfiltration, and further compromise of the victim\u0026rsquo;s system. The specific registry keys targeted reside under \u003ccode\u003e\\SOFTWARE\\Microsoft\\Office\\Outlook\\Security\\\u003c/code\u003e. This technique has been observed in various attack scenarios and poses a significant risk to organizations relying on Outlook for email communication. The modification of these registry settings may be performed by various means, ranging from manually executed commands to automated scripts deployed as part of a larger attack campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through methods such as phishing or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the specific registry keys controlling Outlook security settings, located under \u003ccode\u003e\\SOFTWARE\\Microsoft\\Office\\Outlook\\Security\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line tool or script (e.g., \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell) to modify the registry values related to Outlook security settings.\u003c/li\u003e\n\u003cli\u003eSpecifically, values are modified to enable the execution of \u0026ldquo;unsafe\u0026rdquo; mail client rules, potentially allowing arbitrary code execution via crafted emails.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious email designed to trigger the newly enabled, unsafe mail rules.\u003c/li\u003e\n\u003cli\u003eUpon receiving the email, Outlook processes the rules, executing the attacker\u0026rsquo;s payload.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution, enabling further malicious activities, such as data exfiltration or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Outlook security settings allows attackers to execute arbitrary code within the context of the user account running Outlook. This can lead to the compromise of sensitive information contained within emails, the installation of malware, and further propagation of the attack throughout the organization. The scope of the impact depends on the privileges of the user account and the attacker\u0026rsquo;s objectives, potentially affecting all users within an organization if the attacker gains domain administrator access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Outlook Security Settings Updated - Registry\u0026rdquo; to your SIEM to detect unauthorized modifications to Outlook security-related registry keys (logsource: registry_set/windows).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious processes (e.g., \u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) modifying registry keys under \u003ccode\u003e\\SOFTWARE\\Microsoft\\Office\\Outlook\\Security\\\u003c/code\u003e (Sigma rule below, logsource: process_creation/windows).\u003c/li\u003e\n\u003cli\u003eImplement strict application control policies to prevent unauthorized execution of scripts and executables that could be used to modify registry settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-outlook-registry-security-settings/","summary":"Attackers modify Outlook security settings via registry changes to enable malicious mail rules and bypass security controls, potentially leading to persistence and data compromise.","title":"Outlook Security Settings Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-outlook-registry-security-settings/"}],"language":"en","title":"CraftedSignal Threat Feed — Outlook","version":"https://jsonfeed.org/version/1.1"}