Adversaries may create malicious Outlook forms to establish persistence by embedding malicious code within legitimate email interfaces. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term access and data exfiltration capabilities.
Detection Rule
title: Potential Persistence Via Outlook Form
id: c3edc6a5-d9d4-48d8-930e-aab518390917
status: test
description: Detects the creation of a new Outlook form which can contain malicious code
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79
- https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form
- https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/
author: Tobias Michalski (Nextron Systems)
date: 2021-06-10
modified: 2023-02-22
tags:
- attack.persistence
- attack.t1137.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\outlook.exe'
TargetFilename|contains:
- '\AppData\Local\Microsoft\FORMS\IPM'
- '\Local Settings\Application Data\Microsoft\Forms' # Windows XP
condition: selection
falsepositives:
- Legitimate use of outlook forms
level: high
imFileEvent
| where TargetFilePath endswith "\\outlook.exe" and (TargetFileName contains "\\AppData\\Local\\Microsoft\\FORMS\\IPM" or TargetFileName contains "\\Local Settings\\Application Data\\Microsoft\\Forms")Scenario: System Administrator Creates a Custom Outlook Form for Reporting Purposes
Filter/Exclusion: Exclude events where the form is created by a known admin account (e.g., DOMAIN\Administrator) or where the form name contains a specific prefix like Report_ or Audit_.
Scenario: Scheduled Job Deploys a Standard Outlook Form for Email Automation
Filter/Exclusion: Exclude events where the form is created by a service account associated with a scheduled job (e.g., DOMAIN\EmailAutomationService) or where the form is part of a known automation tool like Microsoft Power Automate or Outlook VBA scripts.
Scenario: IT Team Deploys a Standard Outlook Form for Internal Use
Filter/Exclusion: Exclude events where the form is created by the IT department’s service account (e.g., DOMAIN\IT_Support) or where the form is associated with a known internal tool like ServiceNow or Jira integration.
Scenario: User Creates a Personal Outlook Form for Personal Use
Filter/Exclusion: Exclude events where the form is created by a non-admin user and the form name contains personal identifiers (e.g., Personal_Form_2025) or where the form is created in a user-specific folder (e.g., Personal Folders\.pst).
Scenario: Outlook Add-in Installs a Form as Part of Its Functionality
Filter/Exclusion: Exclude events where the form is created by a known legitimate add-in (e.g., Outlook Web App, Microsoft 365 Add-ins) or where the form is associated with a trusted publisher (e.g., Microsoft, Adobe, or other enterprise-approved tools).