New Outlook Macro Created

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.command-and-control attack.t1137 attack.t1008 attack.t1546 ·

Share on:

Detects the creation of a macro file for Outlook.

Sigma rule (View on GitHub)

 1title: New Outlook Macro Created
 2id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
 3related:
 4    - id: 117d3d3a-755c-4a61-b23e-9171146d094c
 5      type: derived
 6status: test
 7description: Detects the creation of a macro file for Outlook.
 8references:
 9    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
10author: '@ScoubiMtl'
11date: 2021-04-05
12modified: 2023-02-08
13tags:
14    - attack.privilege-escalation
15    - attack.persistence
16    - attack.command-and-control
17    - attack.t1137
18    - attack.t1008
19    - attack.t1546
20logsource:
21    category: file_event
22    product: windows
23detection:
24    selection:
25        Image|endswith: '\outlook.exe'
26        TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
27    condition: selection
28falsepositives:
29    - User genuinely creates a VB Macro for their email
30level: medium

References

A Fresh Outlook on Mail Based Persistence - MDSec

Introduction Low privileged, user land persistence techniques are worth their weight in gold, as there are far fewer opportunities from this perspective than when you’re elevated. As such, we are...

Read More

New Outlook Macro Created

Sigma rule (View on GitHub)

References

A Fresh Outlook on Mail Based Persistence - MDSec

Related rules