← Back to SOC feed Coverage →

Potential Persistence Via Outlook Today Page

sigma HIGH SigmaHQ
T1112
imRegistry
persistence
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-29T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values “URL” and “UserDefinedUrl”.

Detection Rule

Sigma (Original)

title: Potential Persistence Via Outlook Today Page
id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
related:
    - id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
      type: similar
status: test
description: |
    Detects potential persistence activity via outlook today page.
    An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74
    - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
date: 2021-06-10
modified: 2024-08-07
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection_main:
        TargetObject|contains|all:
            - 'Software\Microsoft\Office\'
            - '\Outlook\Today\'
    selection_value_stamp:
        TargetObject|endswith: '\Stamp'
        Details: 'DWORD (0x00000001)'
    selection_value_url:
        TargetObject|endswith:
            - '\URL'
            - '\UserDefinedUrl'
    filter_main_office:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    condition: selection_main and 1 of selection_value_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imRegistry
| where (RegistryKey endswith "Software\\Microsoft\\Office*" and RegistryKey endswith "\\Outlook\\Today*") and ((RegistryKey endswith "\\Stamp" and RegistryValueData =~ "DWORD (0x00000001)") or (RegistryKey endswith "\\URL" or RegistryKey endswith "\\UserDefinedUrl")) and (not(((ActingProcessName startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or ActingProcessName startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\") and ActingProcessName endswith "\\OfficeClickToRun.exe")))

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml