Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
Sigma rule (View on GitHub)
1title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
2id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
3related:
4 - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
5 type: similar
6 - id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation
7 type: similar
8status: test
9description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
10references:
11 - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
12 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-02-08
15modified: 2023-08-17
16tags:
17 - attack.persistence
18 - attack.defense-evasion
19 - attack.t1112
20logsource:
21 category: registry_set
22 product: windows
23detection:
24 selection:
25 TargetObject|endswith: '\Outlook\Security\EnableUnsafeClientMailRules'
26 Details: 'DWORD (0x00000001)'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
Use inbox rules to automatically perform specific actions on email messages that come into your inbox.
Read More -
Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired targ…
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Blue Mockingbird