The hypothesis is that an adversary is leveraging a malicious Outlook VBA add-in to execute arbitrary code within the victim’s email environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of email clients and prevent lateral movement or data exfiltration.
Detection Rule
title: Microsoft VBA For Outlook Addin Loaded Via Outlook
id: 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed
status: test
description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2024-03-12
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\outlook.exe'
ImageLoaded|endswith: '\outlvba.dll'
condition: selection
falsepositives:
- Legitimate macro usage. Add the appropriate filter according to your environment
level: medium
DeviceImageLoadEvents
| where InitiatingProcessFolderPath endswith "\\outlook.exe" and FolderPath endswith "\\outlvba.dll"Scenario: System administrator uses Outlook to run a PowerShell script that loads the outlvba.dll as part of a scheduled task for email automation.
Filter/Exclusion: Exclude processes launched by schtasks.exe or Task Scheduler with known legitimate PowerShell scripts.
Scenario: A Microsoft Exchange Server service account runs Outlook in the background to sync emails, which may load outlvba.dll as part of its normal operation.
Filter/Exclusion: Exclude processes with Process Owner set to a known Exchange service account or running under NT AUTHORITY\SYSTEM.
Scenario: A third-party Outlook add-in (e.g., Microsoft 365 Compliance Manager) is installed and loads outlvba.dll as part of its functionality.
Filter/Exclusion: Exclude processes with Process Image containing known add-in names or Process Owner associated with the add-in vendor.
Scenario: A Windows Update or Microsoft Defender scheduled task uses Outlook to check for email notifications, which may trigger the loading of outlvba.dll.
Filter/Exclusion: Exclude processes launched by wuauclt.exe or MsDefender.exe or associated with Windows Update or Microsoft Defender.
Scenario: A system diagnostic tool (e.g., Microsoft System Center or Windows Performance Analyzer) uses Outlook for logging or reporting, which may involve loading outlvba.dll.
Filter/Exclusion: Exclude processes with Process Image matching known diagnostic tools or running under Local System or Administrators with known diagnostic tool contexts.