← Back to SOC feed Coverage →

Outlook Macro Execution Without Warning Setting Enabled

sigma HIGH SigmaHQ
T1137T1008T1546
imRegistry
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-27T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects the modification of Outlook security setting to allow unprompted execution of macros.

Detection Rule

Sigma (Original)

title: Outlook Macro Execution Without Warning Setting Enabled
id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
status: test
description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Outlook\Security\Level'
        Details|contains: '0x00000001' # Enable all Macros
    condition: selection
falsepositives:
    - Unlikely
level: high

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\Outlook\\Security\\Level" and RegistryValueData contains "0x00000001"

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey endswith "\\Outlook\\Security\\Level" and RegistryValueData contains "0x00000001"

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml