Outlook EnableUnsafeClientMailRules Setting Enabled

 1title: Outlook EnableUnsafeClientMailRules Setting Enabled
 2id: 55f0a3a1-846e-40eb-8273-677371b8d912
 3related:
 4    - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # Registry variation
 5      type: similar
 6status: test
 7description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
 8references:
 9    - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
10    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
11    - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
12author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
13date: 2018/12/27
14modified: 2023/02/09
15tags:
16    - attack.execution
17    - attack.t1059
18    - attack.t1202
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        CommandLine|contains: '\Outlook\Security\EnableUnsafeClientMailRules'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

• OVERRULED: Containing a Potentially Destructive Adversary | Mandiant

  

  UPDATE (Jul. 3, 2019): On May 16, 2019 FireEye's Advanced Practices team attributed the remaining "suspected APT33 activity" (referred to as GroupB in this blog post) to APT33, operating at the beh...

  
  Read More

• Hunting for persistence via Microsoft Exchange Server or Outlook

  

  Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired target for attackers, since in case of successful exploitation of vulnerabilities or incorrect settings of MS Exchange components, attackers can gain access to emails of the company, increase their privileges to the domain administrator, and also perform phishing mailing on behalf of the organization's representatives. Moreover, attackers have a number of original ways to obtain persistence in the system. The speaker will consider all these methods and demonstrate approaches to obtain persistence using these methods and detect such presence.

  
  Read More

• How to control the rule actions to start an application or run a macro in Outlook 2016 and Outlook 2013 - Microsoft Support

  

  Describes how to control the rule actions to start an application or run a macro in Microsoft Outlook 2016 and Outlook 2013.

  
  Read More

Related rules

• Renamed FTP.EXE Execution
• Run PowerShell Script from Redirected Input Stream
• Hacktool Ruler
• Suspicious User-Initiated Process Execution on External Drive (Old)
• Suspicious User-Initiated Process Execution on External Drive (Sysmon)