Outlook EnableUnsafeClientMailRules Setting Enabled

calendar May 20, 2025 · attack.execution attack.defense-evasion attack.t1059 attack.t1202  ·
Share on: linkedin copy

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Sigma rule (View on GitHub)

 1title: Outlook EnableUnsafeClientMailRules Setting Enabled
 2id: 55f0a3a1-846e-40eb-8273-677371b8d912
 3related:
 4    - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # Registry variation
 5      type: similar
 6status: test
 7description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
 8references:
 9    - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
10    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
11    - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
12author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
13date: 2018-12-27
14modified: 2023-02-09
15tags:
16    - attack.execution
17    - attack.defense-evasion
18    - attack.t1059
19    - attack.t1202
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        CommandLine|contains: '\Outlook\Security\EnableUnsafeClientMailRules'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

Related rules

to-top