AN0085: Analytic 0085
Adversary uses a tool like Ruler to insert a malicious custom form into the user's Outlook mailbox. The form is designed to auto-execute on Outlook startup or on receipt of a specially crafted email. This results in child processes launched from outlook.exe and possibly network connections or payload loading.
Analyst context for executives and security teams
This analytic describes a Windows Outlook persistence/execution scenario where a malicious custom Outlook form can cause outlook.exe to start child processes, make network connections, or load payloads. For security leaders, the value is not the tool name itself but whether email-client activity is visible enough for the SOC to distinguish normal Outlook behavior from suspicious process launches and follow-on network activity.
Executive priority
Prioritize this as an endpoint and email-client visibility question: can the organization prove it monitors Outlook-launched processes and related network behavior on Windows systems? This matters for incident response readiness, identity/email security assurance, and audit evidence because Outlook is a high-trust business application and malicious automation inside it may blend into ordinary user activity. Budget and control decisions should focus on telemetry completeness and investigation playbooks rather than assuming a single preventive control will cover the behavior.
Technical view
Validate detection around Windows hosts running Outlook, especially child processes spawned by outlook.exe and any associated network connections or payload-loading indicators. Because no official detection logic is provided, SOC teams should build and tune baselines for expected Outlook child processes, investigate unusual process ancestry, and correlate endpoint process telemetry with network telemetry. IR teams should be prepared to examine affected Outlook mailbox configuration and endpoint execution history, but local evidence is required to determine scope.
Likely telemetry
- Windows endpoint process creation events showing outlook.exe as a parent process
- Command-line and process ancestry data for child processes launched from outlook.exe
- Endpoint network connection telemetry tied to outlook.exe or its child processes
- File or payload load evidence associated with Outlook-started processes
- Mailbox or Outlook configuration evidence relevant to custom forms, where available
Detection direction
- Create or validate analytics for unusual child processes spawned by outlook.exe on Windows.
- Correlate Outlook process ancestry with outbound network connections or subsequent payload loading.
- Tune against known legitimate Outlook integrations, add-ins, and enterprise workflows to reduce false positives.
- Look for rare or newly observed child process names, command lines, or network destinations in the local environment.
- Document telemetry gaps explicitly because the ATT&CK object provides no official detection text and no relationship context.
Mitigation priorities
- Harden and monitor Outlook/mailbox configuration practices where custom forms or automation are used.
- Ensure endpoint detection collects process ancestry and command-line telemetry for Windows Outlook systems.
- Restrict or review unnecessary Outlook integrations and add-ins according to business need.
- Prepare incident response procedures for collecting endpoint execution data and relevant mailbox/Outlook configuration evidence.
- Use baselining and exception management so legitimate business automation does not hide suspicious Outlook-launched execution.
Analyst notes and limits
This Glexia take is based on the supplied ATT&CK analytic AN0085 only. The key defensive decision is whether Outlook-originated execution is observable and triageable. The supplied object names Ruler as an example tool, but this summary does not infer attribution, active exploitation, or specific campaigns.
ATT&CK provides no official detection text, tactics, mitigations, or relationships for this object in the supplied data. Applicability is limited to the stated Windows platform and Outlook behavior described. Local environment baselines are required to determine what is suspicious versus expected.
Analytic 0085
Adversary uses a tool like Ruler to insert a malicious custom form into the user's Outlook mailbox. The form is designed to auto-execute on Outlook startup or on receipt of a specially crafted email. This results in child processes launched from outlook.exe and possibly network connections or payload loading.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 861c52bd5abf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0085Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.