Adversaries may use Outlook macros to execute malicious code and establish persistence, leveraging T1137, T1008, and T1546 techniques to evade detection. Proactively hunting for suspicious macro creation in Azure Sentinel helps identify potential compromise early, enabling timely containment and mitigation of advanced threats.
Detection Rule
title: Suspicious Outlook Macro Created
id: 117d3d3a-755c-4a61-b23e-9171146d094c
related:
- id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
- https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
filter:
Image|endswith: '\outlook.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
imFileEvent
| where TargetFileName endswith "\\Microsoft\\Outlook\\VbaProject.OTM" and (not(TargetFilePath endswith "\\outlook.exe"))Scenario: System administrator creates a macro for automating email reporting using Outlook VBA as part of a scheduled job.
Filter/Exclusion: Exclude files created by the System or Administrators user, or filter by file path such as C:\Windows\System32\ or C:\Program Files\.
Scenario: IT team deploys a Microsoft Power Automate flow that uses Outlook integration to automate email processing.
Filter/Exclusion: Exclude files with Power Automate or Microsoft Flow in the file name, or filter by process name like Outlook.exe with known automation tools.
Scenario: A developer uses Outlook with VBA macros to automate data export for internal reporting.
Filter/Exclusion: Exclude files created by developer user accounts or filter based on file extension like .xls or .csv that are known to be used for reporting.
Scenario: A scheduled task runs a script that generates an .oft file for Outlook templates.
Filter/Exclusion: Exclude files with .oft extension or filter based on task scheduler origin, such as Task Scheduler or Microsoft Windows Task Scheduler.
Scenario: A third-party application (e.g., Zapier, Integromat) uses Outlook to send emails, creating temporary macro files during integration.
Filter/Exclusion: Exclude files created by known third-party tools or filter based on process name like Zapier.exe or Integromat.exe.