EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Outlook Macro Execution Without Warning Setting Enabled

Detects the modification of Outlook security setting to allow unprompted execution of macros.

MITRE ATT&CK

T1137T1008T1546
privilege-escalationpersistencecommand-and-control

Detection Query

selection:
  TargetObject|endswith: \Outlook\Security\Level
  Details|contains: "0x00000001"
condition: selection

Author

@ScoubiMtl

Created

2021-04-05

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.privilege-escalationattack.persistenceattack.command-and-controlattack.t1137attack.t1008attack.t1546
Raw Content
title: Outlook Macro Execution Without Warning Setting Enabled
id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
status: test
description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Outlook\Security\Level'
        Details|contains: '0x00000001' # Enable all Macros
    condition: selection
falsepositives:
    - Unlikely
level: high