Potential Persistence Via Outlook Home Page

    Thursday, August 8, 2024 In: Threat Research Print

    Date: 08/08/2024

    Severity: High

    Summary

    Detects potential persistent activity through the Outlook home page. An attacker might set a home page to enable code execution and maintain persistence by modifying the WebView registry keys.

    Indicators of Compromise (IOC) List

    TargetObject

    \Software\Microsoft\Office\

    \Outlook\WebView\

    \URL

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourceName = "Sysmon"  AND eventtype = "13"  ) AND targetobject in ("\\Software\\Microsoft\\Office" , "\\Outlook\\WebView" , "\\URL")

    Detection Query 2

    (technologygroup = "EDR" ) AND targetobject in ("\\Software\\Microsoft\\Office" , "\\Outlook\\WebView" , "\\URL")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml

    https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70  https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us 

    https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.