Adversaries may leverage the Outlook temporary directory to stage malicious files with suspicious extensions as part of spear-phishing campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or malware delivery vectors hidden within legitimate email workflows.
Detection Rule
title: Suspicious File Created in Outlook Temporary Directory
id: fabb0e80-030c-4e3e-a104-d09676991ac3
related:
- id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
type: obsolete
status: experimental
description: |
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
references:
- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-22
tags:
- attack.initial-access
- attack.t1566.001
logsource:
product: windows
category: file_event
detection:
selection_extension:
TargetFilename|endswith:
- '.cpl'
- '.hta'
- '.iso'
- '.rdp'
- '.svg'
- '.vba'
- '.vbe'
- '.vbs'
selection_location:
- TargetFilename|contains:
- '\AppData\Local\Packages\Microsoft.Outlook_'
- '\AppData\Local\Microsoft\Olk\Attachments\'
- TargetFilename|contains|all:
- '\AppData\Local\Microsoft\Windows\'
- '\Content.Outlook\'
condition: all of selection_*
falsepositives:
- Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments
level: high
imFileEvent
| where (TargetFileName endswith ".cpl" or TargetFileName endswith ".hta" or TargetFileName endswith ".iso" or TargetFileName endswith ".rdp" or TargetFileName endswith ".svg" or TargetFileName endswith ".vba" or TargetFileName endswith ".vbe" or TargetFileName endswith ".vbs") and ((TargetFileName contains "\\AppData\\Local\\Packages\\Microsoft.Outlook_" or TargetFileName contains "\\AppData\\Local\\Microsoft\\Olk\\Attachments\\") or (TargetFileName contains "\\AppData\\Local\\Microsoft\\Windows\\" and TargetFileName contains "\\Content.Outlook\\"))Scenario: Scheduled Backup Job Creates Temporary Files
Description: A scheduled backup job may create temporary files in the Outlook temporary directory as part of its operation.
Filter/Exclusion: Exclude files created by known backup tools such as Veeam Backup & Replication, Commvault, or Acronis True Image by checking the process name or using a regex pattern for their executable names.
Scenario: Outlook Add-in Generates Temporary Files
Description: A legitimate Outlook add-in may create temporary files in the Outlook temporary directory during normal operation.
Filter/Exclusion: Exclude files created by trusted add-ins by checking the Outlook process ID or by using a whitelist of known add-in file names or publishers.
Scenario: User Downloads and Extracts an Archive
Description: A user may download a ZIP or RAR file and extract it to the Outlook temporary directory, which can trigger the rule due to the file extension.
Filter/Exclusion: Exclude files with common archive extensions like .zip, .rar, or .7z by checking the file extension or using a regex pattern for archive file types.
Scenario: System Maintenance Task Uses Temporary Files
Description: System maintenance tasks such as disk cleanup or registry cleanup may temporarily store files in the Outlook temporary directory.
Filter/Exclusion: Exclude files created by system maintenance tools like Disk Cleanup, CCleaner, or Windows Task Scheduler by checking the parent process or using a regex pattern for known maintenance tools.
Scenario: Admin Performs File Analysis Using Forensic Tools
Description: An admin may use forensic tools like Volatility, Autopsy, or FTK Imager to analyze files in the Outlook temporary directory.
Filter/Exclusion: Exclude files created by forensic tools by checking the process name or using