Persistence via Malicious Microsoft Outlook VBA Template

hello@craftedsignal.io — Thu, 04 Jan 2024 12:00:00 +0000

Attackers can leverage Microsoft Outlook’s VBA scripting capabilities to establish persistence on compromised systems. This is achieved by installing malicious VBA templates within the Outlook environment. These templates are designed to execute upon application startup, granting the attacker sustained access and control. The attack centers around unauthorized modifications to the VbaProject.OTM file, a critical component for VBA script storage in Outlook. This technique allows threat actors to maintain a foothold even after system restarts or user logoffs. Defenders need to monitor for suspicious changes to this file to identify and mitigate potential compromises.

Attack Chain

The attacker gains initial access to the target system, potentially through phishing or other social engineering methods (not detailed in source).
The attacker identifies a user with Microsoft Outlook installed and running on a Windows system.
The attacker modifies or replaces the existing VbaProject.OTM file located in the user’s Outlook profile (C:\Users\*\AppData\Roaming\Microsoft\Outlook\).
The modified VbaProject.OTM file contains malicious VBA code designed to execute when Outlook starts.
The victim launches Microsoft Outlook.
The malicious VBA code within VbaProject.OTM executes automatically upon Outlook startup, establishing persistence.
The VBA script can perform various malicious actions, such as downloading and executing additional payloads, establishing command and control, or exfiltrating data.

Impact

Successful exploitation can lead to persistent access to the compromised system, allowing attackers to steal sensitive information, deploy ransomware, or use the system as a staging ground for further attacks within the network. The number of victims and specific sectors targeted depends on the attacker’s objectives and scope of the campaign. If the attack succeeds, an attacker could gain complete control over the user’s email account and associated data, leading to significant data breaches and financial losses.

Recommendation

Deploy the Sigma rule Detect Outlook VBA Template Modification to your SIEM to identify unauthorized modifications to the VbaProject.OTM file based on file creation events.
Enable Sysmon file creation logging (Event ID 11) to activate the Detect Outlook VBA Template Modification rule.
Implement application control policies to restrict unauthorized modifications to Outlook VBA files as described in the “Response and remediation” section of the source.
Monitor file creation events related to VbaProject.OTM in the specified paths (C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM) as highlighted in the rule query.

Outlook Security Settings Registry Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 18:15:00 +0000

Attackers are known to modify Outlook security settings by directly manipulating registry values. This tactic allows them to bypass built-in security controls and enable potentially malicious functionalities such as running unsafe mail client rules. This circumvention of security measures can be leveraged for various malicious purposes, including persistence, data exfiltration, and further compromise of the victim’s system. The specific registry keys targeted reside under \SOFTWARE\Microsoft\Office\Outlook\Security\. This technique has been observed in various attack scenarios and poses a significant risk to organizations relying on Outlook for email communication. The modification of these registry settings may be performed by various means, ranging from manually executed commands to automated scripts deployed as part of a larger attack campaign.

Attack Chain

An attacker gains initial access to the system through methods such as phishing or exploiting vulnerabilities.
The attacker establishes persistence on the compromised system.
The attacker identifies the specific registry keys controlling Outlook security settings, located under \SOFTWARE\Microsoft\Office\Outlook\Security\.
The attacker uses a command-line tool or script (e.g., reg.exe, PowerShell) to modify the registry values related to Outlook security settings.
Specifically, values are modified to enable the execution of “unsafe” mail client rules, potentially allowing arbitrary code execution via crafted emails.
The attacker crafts a malicious email designed to trigger the newly enabled, unsafe mail rules.
Upon receiving the email, Outlook processes the rules, executing the attacker’s payload.
The attacker achieves code execution, enabling further malicious activities, such as data exfiltration or lateral movement within the network.

Impact

Successful modification of Outlook security settings allows attackers to execute arbitrary code within the context of the user account running Outlook. This can lead to the compromise of sensitive information contained within emails, the installation of malware, and further propagation of the attack throughout the organization. The scope of the impact depends on the privileges of the user account and the attacker’s objectives, potentially affecting all users within an organization if the attacker gains domain administrator access.

Recommendation

Deploy the Sigma rule “Outlook Security Settings Updated - Registry” to your SIEM to detect unauthorized modifications to Outlook security-related registry keys (logsource: registry_set/windows).
Monitor process creation events for suspicious processes (e.g., reg.exe, powershell.exe) modifying registry keys under \SOFTWARE\Microsoft\Office\Outlook\Security\ (Sigma rule below, logsource: process_creation/windows).
Implement strict application control policies to prevent unauthorized execution of scripts and executables that could be used to modify registry settings.

Outlook — CraftedSignal Threat Feed

Persistence via Malicious Microsoft Outlook VBA Template

Attack Chain

Impact

Recommendation

Outlook Security Settings Registry Modification

Attack Chain

Impact

Recommendation