Outlook EnableUnsafeClientMailRules Setting Enabled - Registry

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Sigma rule (View on GitHub)

 1title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
 2id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
 3related:
 4    - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
 5      type: similar
 6    - id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation
 7      type: similar
 8status: test
 9description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
10references:
11    - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
12    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023/02/08
15modified: 2023/08/17
16tags:
17    - attack.defense_evasion
18    - attack.t1112
19logsource:
20    category: registry_set
21    product: windows
22detection:
23    selection:
24        TargetObject|endswith: '\Outlook\Security\EnableUnsafeClientMailRules'
25        Details: 'DWORD (0x00000001)'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

Related rules

to-top