Outlook EnableUnsafeClientMailRules Setting Enabled - Registry

calendar Aug 17, 2023 · attack.defense_evasion attack.t1112  ·
Share on: linkedin copy

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Sigma rule (View on GitHub)

 1title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
 2id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
 3related:
 4    - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
 5      type: similar
 6    - id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation
 7      type: similar
 8status: experimental
 9description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
10references:
11    - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
12    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023/02/08
15modified: 2023/08/17
16tags:
17    - attack.defense_evasion
18    - attack.t1112
19logsource:
20    category: registry_set
21    product: windows
22detection:
23    selection:
24        TargetObject|endswith: '\Outlook\Security\EnableUnsafeClientMailRules'
25        Details: 'DWORD (0x00000001)'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

  • How to control the rule actions to start an application or run a macro in Outlook 2016 and Outlook 2013 - Microsoft Support

    Describes how to control the rule actions to start an application or run a macro in Microsoft Outlook 2016 and Outlook 2013.


    Read More

  • Hunting for persistence via Microsoft Exchange Server or Outlook

    Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired target for attackers, since in case of successful exploitation of vulnerabilities or incorrect settings of MS Exchange components, attackers can gain access to emails of the company, increase their privileges to the domain administrator, and also perform phishing mailing on behalf of the organization's representatives. Moreover, attackers have a number of original ways to obtain persistence in the system. The speaker will consider all these methods and demonstrate approaches to obtain persistence using these methods and detect such presence.


    Read More

Related rules

to-top