AN0086: Analytic 0086
Outlook form execution upon message receipt or client launch results in automated code execution within user session. Form definitions deviate from standard templates and include script logic or COM object calls embedded in form fields.
Analyst context for executives and security teams
This analytic highlights a Microsoft Office/Outlook behavior where custom Outlook forms can execute code automatically when a message is received or when the client launches. For security leaders, the practical issue is that email and collaboration tooling can become an execution path inside a user session, especially if nonstandard form definitions with embedded script logic or COM calls are allowed or go unmonitored.
Executive priority
Treat this as an Office Suite control and monitoring validation item. Leaders should ask whether the organization can identify nonstandard Outlook form definitions, explain who is allowed to create or publish them, and produce evidence that email-client execution paths are governed. This matters for incident readiness and audit confidence because the supplied ATT&CK object has no detection text; coverage depends on local visibility, configuration control, and SOC procedures rather than a ready-made analytic.
Technical view
SOC and detection teams should validate visibility into Outlook form usage and deviations from standard templates. The key behavior to look for is form execution triggered by message receipt or Outlook client launch, with form fields containing script logic or COM object calls. Because no ATT&CK tactics, relationships, or official detection logic are supplied, teams should avoid assuming technique context and instead test whether Office Suite telemetry, endpoint telemetry, and email-client configuration data can expose custom form definitions and execution events within the user session.
Likely telemetry
- Outlook or Office client configuration and operational logs related to forms
- Endpoint process and script execution telemetry from user sessions running Outlook
- Evidence of COM object invocation associated with Office or Outlook processes
- Email/client-side artifacts showing custom or nonstandard Outlook form definitions
- Administrative records for creation, publication, or modification of Outlook forms where available
Detection direction
- Inventory what constitutes a standard Outlook form template in the environment, then alert or review deviations that include script logic or COM object calls.
- Validate whether the SOC can correlate Outlook launch or message receipt timing with user-session code execution indicators.
- Tune carefully for legitimate custom business forms, since custom Outlook forms may be used for approved workflows.
- Prioritize detections that combine form-definition anomalies with execution evidence, rather than flagging customization alone.
- Document blind spots where Office client logging, endpoint telemetry, or form publication records are not collected.
Mitigation priorities
- Establish governance for who can create, publish, or modify Outlook forms.
- Restrict or review nonstandard form templates that contain script logic or COM object calls where business need is not established.
- Ensure endpoint and Office Suite monitoring can capture relevant client-side execution and configuration evidence.
- Include Outlook form abuse scenarios in incident response playbooks and evidence collection checklists.
- Maintain audit-ready records of approved custom forms and related administrative changes.
Analyst notes and limits
The supplied object is a detection analytic, AN0086, for the Office Suite platform. It describes automated code execution through Outlook form execution on message receipt or client launch, specifically where form definitions differ from standard templates and include embedded script logic or COM object calls. No relationship context, tactics, aliases, labels, or official detection procedure were provided.
This take is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, adversary attribution, business impact, or detection coverage. Local Outlook configuration, endpoint telemetry, and approved business use of custom forms are required to determine material risk and detection feasibility.
Analytic 0086
Outlook form execution upon message receipt or client launch results in automated code execution within user session. Form definitions deviate from standard templates and include script logic or COM object calls embedded in form fields.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c42b6a96a1a2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0086Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.