Attack Chain

1. The attacker gains initial access to the target system, potentially through phishing or other social engineering methods (not detailed in source).
2. The attacker identifies a user with Microsoft Outlook installed and running on a Windows system.
3. The attacker modifies or replaces the existing VbaProject.OTM file located in the user’s Outlook profile (C:\Users\*\AppData\Roaming\Microsoft\Outlook\).
4. The modified VbaProject.OTM file contains malicious VBA code designed to execute when Outlook starts.
5. The victim launches Microsoft Outlook.
6. The malicious VBA code within VbaProject.OTM executes automatically upon Outlook startup, establishing persistence.
7. The VBA script can perform various malicious actions, such as downloading and executing additional payloads, establishing command and control, or exfiltrating data.

Impact

Successful exploitation can lead to persistent access to the compromised system, allowing attackers to steal sensitive information, deploy ransomware, or use the system as a staging ground for further attacks within the network. The number of victims and specific sectors targeted depends on the attacker’s objectives and scope of the campaign. If the attack succeeds, an attacker could gain complete control over the user’s email account and associated data, leading to significant data breaches and financial losses.

Recommendation

• Deploy the Sigma rule Detect Outlook VBA Template Modification to your SIEM to identify unauthorized modifications to the VbaProject.OTM file based on file creation events.
• Enable Sysmon file creation logging (Event ID 11) to activate the Detect Outlook VBA Template Modification rule.
• Implement application control policies to restrict unauthorized modifications to Outlook VBA files as described in the “Response and remediation” section of the source.
• Monitor file creation events related to VbaProject.OTM in the specified paths (C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM) as highlighted in the rule query.