T1137.004 - Office Application Startup: Outlook Home Page

Description from ATT&CK

Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page) Once malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page)

Atomic Tests

Atomic Test #1 - Install Outlook Home Page Persistence

This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed.

Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox).

Supported Platforms: Windows

auto_generated_guid: 7a91ad51-e6d2-4d43-9471-f26362f5738e


| Name | Description | Type | Default Value | |——|————-|——|—————| | url | URL to Outlook Home Page containing the payload to execute (can be local file:// or remote https://) | string | file://PathToAtomicsFolder\T1137.004\src\T1137.004.html| | outlook_version | Version of Outlook that is installed | float | 16.0| | outlook_folder | Name of the Outlook folder to modify the homepage setting for | string | Inbox|

Attack Commands: Run with

reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f

Cleanup Commands:

reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f >nul 2>&1