Outlook Security Settings Updated - Registry

Apr 27, 2026 · attack.persistence attack.t1137 ·

Detects changes to the registry values related to outlook security settings

Sigma rule (View on GitHub)

 1title: Outlook Security Settings Updated - Registry
 2id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
 3related:
 4    - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # EnableUnsafeClientMailRules
 5      type: similar
 6status: test
 7description: Detects changes to the registry values related to outlook security settings
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md
10    - https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
11author: frack113
12date: 2021-12-28
13modified: 2026-01-09
14tags:
15    - attack.persistence
16    - attack.t1137
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection:
22        TargetObject|contains|all:
23            - '\SOFTWARE\Microsoft\Office\'
24            - '\Outlook\Security\'
25    filter_main_outlook:
26        Image|startswith:
27            - 'C:\Program Files\Microsoft Office\'
28            - 'C:\Program Files (x86)\Microsoft Office\'
29        Image|endswith: '\OUTLOOK.EXE'
30    condition: selection and not 1 of filter_main_*
31falsepositives:
32    - Administrative activity
33level: medium

Outlook Security Settings Updated - Registry

Sigma rule (View on GitHub)

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md

https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings

Related rules