New Outlook Macro Created

Hunt Hypothesis

Adversaries may create Outlook macros to execute malicious code and establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential initial access and lateral movement tactics.

Detection Rule

Sigma (Original)

title: New Outlook Macro Created
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
related:
    - id: 117d3d3a-755c-4a61-b23e-9171146d094c
      type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-02-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\outlook.exe'
        TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
    condition: selection
falsepositives:
    - User genuinely creates a VB Macro for their email
level: medium

KQL (Azure Sentinel)

imFileEvent
| where TargetFilePath endswith "\\outlook.exe" and TargetFileName endswith "\\Microsoft\\Outlook\\VbaProject.OTM"

False Positive Guidance

• Scenario: An administrator creates a macro for automating email processing during a routine system maintenance task.
  Filter/Exclusion: process.name != "Outlook" or process.parent.name != "Outlook", or check for known admin tools like PowerShell or Task Scheduler with a known task name.

• Scenario: A scheduled job runs a script that generates a macro file as part of a data migration or backup process.
  Filter/Exclusion: file.name contains "backup" or file.name contains "migration", or check for scheduled tasks with a known job name via Task Scheduler.

• Scenario: A developer uses Microsoft Word to create a macro that is later referenced by an Outlook add-in.
  Filter/Exclusion: process.name != "Outlook" or file.path contains "Word" or file.path contains "Documents".

• Scenario: A user creates a macro file manually for personal productivity, such as automating email responses.
  Filter/Exclusion: user.name != "admin" or user.name != "support" or check for user-specific directories like C:\Users\username\Documents.

• Scenario: A system update or patch process generates a temporary macro file as part of a configuration change.
  Filter/Exclusion: file.path contains "temp" or file.path contains "update" or check for file creation time within a known update window.

MITRE ATT&CK Context

• Tactic: Privilege Escalation
• Tactic: Persistence
• Tactic: Command and Control
• Technique: T1137
• Technique: T1008
• Technique: T1546