Suspicious File Created in Outlook Temporary Directory

 1title: Suspicious File Created in Outlook Temporary Directory
 2id: fabb0e80-030c-4e3e-a104-d09676991ac3
 3related:
 4    - id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
 5      type: obsolete
 6status: experimental
 7description: |
 8    Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
 9    This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.    
10references:
11    - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
12    - https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
13    - https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
14author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2025-07-22
16tags:
17    - attack.initial-access
18    - attack.t1566.001
19logsource:
20    product: windows
21    category: file_event
22detection:
23    selection_extension:
24        TargetFilename|endswith:
25            - '.cpl'
26            - '.hta'
27            - '.iso'
28            - '.rdp'
29            - '.svg'
30            - '.vba'
31            - '.vbe'
32            - '.vbs'
33    selection_location:
34        - TargetFilename|contains:
35              - '\AppData\Local\Packages\Microsoft.Outlook_'
36              - '\AppData\Local\Microsoft\Olk\Attachments\'
37        - TargetFilename|contains|all:
38              - '\AppData\Local\Microsoft\Windows\'
39              - '\Content.Outlook\'
40    condition: all of selection_*
41falsepositives:
42    - Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments
43level: high

References

• SVG Phishing Attacks: The New Trick in the Cybercriminal's Playbook

  

  Cicada3301 Ransomware, a new Rust-based RaaS variant, targets Windows and Linux systems with data leaks on Tor and advanced evasion tactics.

  
  Read More

• Rogue RDP Files Targeting Ukrainian Government, Military

  

  Hackers are trying to gain remote access to Ukrainian government and military systems leveraging RDP files disguised as popular network and security services.

  
  Read More

• Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog

  

  Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. This activity is ongoing, and Microsoft will continue to investigate and provide updates as available.

  
  Read More

Related rules

• Disk Image Mounting Via Hdiutil - MacOS
• Ursnif Malware C2 URL Pattern
• Suspicious Double Extension File Execution
• Exploit for CVE-2017-0261
• Exploit for CVE-2017-8759