Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
Sigma rule (View on GitHub)
1title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
2id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
3related:
4 - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
5 type: similar
6 - id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation
7 type: similar
8status: experimental
9description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
10references:
11 - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
12 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023/02/08
15modified: 2023/08/17
16tags:
17 - attack.defense_evasion
18 - attack.t1112
19logsource:
20 category: registry_set
21 product: windows
22detection:
23 selection:
24 TargetObject|endswith: '\Outlook\Security\EnableUnsafeClientMailRules'
25 Details: 'DWORD (0x00000001)'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- ClickOnce Trust Prompt Tampering