AN0263: Analytic 0263
Adversary uses a tool like Ruler or MFCMapi to create a malicious Outlook rule that triggers execution upon receipt of a crafted email. On email delivery, Outlook executes the rule, resulting in code execution (e.g., launching mshta.exe or PowerShell). Outlook spawns a non-standard child process, often unsanctioned, without user interaction.
Analyst context for executives and security teams
This analytic describes a Windows Outlook abuse pattern where a malicious mail rule causes code execution when a crafted email arrives, without the user needing to click anything. For leaders, the decision value is whether endpoint, email, and identity teams can prove they would see Outlook launching unusual child processes such as mshta.exe or PowerShell and can quickly determine whether a mailbox rule is legitimate or malicious.
Executive priority
Prioritize this as an email-to-endpoint execution risk that can bypass user-awareness assumptions because execution is triggered by mail delivery and Outlook behavior, not a visible user action. It matters for incident response readiness, SOC visibility, and audit evidence around mail client hardening, mailbox rule governance, and endpoint process monitoring on Windows systems.
Technical view
Validate whether Windows endpoint telemetry captures Outlook process ancestry and flags non-standard child processes spawned by Outlook. Since no official detection logic is supplied, detection engineering should focus on the behavior in the description: Outlook executing a rule after email delivery and spawning unsanctioned child processes such as mshta.exe or PowerShell. IR teams should be able to correlate suspicious Outlook child processes with recent email delivery and Outlook rule changes where local telemetry supports it.
Likely telemetry
- Windows endpoint process creation events with parent-child process relationships
- Outlook process execution telemetry
- Command-line and executable path data for child processes such as mshta.exe or PowerShell
- Email delivery records around the time of execution
- Mailbox or Outlook rule creation/modification evidence, if collected
Detection direction
- Alert or hunt for Outlook spawning unusual or high-risk child processes, especially script interpreters or living-off-the-land utilities identified in local policy as unsanctioned.
- Tune against legitimate Outlook integrations or enterprise add-ins that may spawn helper processes to reduce false positives.
- Correlate process execution with recent inbound email delivery and mailbox rule activity when those data sources are available.
- Validate collection coverage on Windows endpoints; absence of process ancestry or command-line telemetry will materially weaken detection.
- Because the ATT&CK object provides no formal detection text, treat this as a behavior-driven analytic requiring local baselining and testing.
Mitigation priorities
- Review and govern Outlook/mailbox rule creation and modification practices, especially for privileged or high-risk users.
- Ensure Windows endpoint monitoring records Outlook child processes and command-line details.
- Restrict or monitor unsanctioned script interpreters and utilities where business operations allow.
- Prepare IR playbooks to investigate suspicious Outlook-spawned processes alongside email and mailbox rule evidence.
- Use control validation to confirm that detections work for mail-triggered execution paths, not only user-click scenarios.
Analyst notes and limits
The supplied object is a detection analytic for Windows and describes malicious Outlook rule-triggered execution. No tactics, relationships, labels, or official detection text were supplied, so this take focuses on defensive validation implied by the description rather than mapping to broader ATT&CK technique context.
Assessment is limited to the official STIX fields, the MITRE external reference, and the provided description. Local environment baselines, approved Outlook integrations, endpoint logging depth, and email platform audit logs are required to determine detection quality and risk relevance.
Analytic 0263
Adversary uses a tool like Ruler or MFCMapi to create a malicious Outlook rule that triggers execution upon receipt of a crafted email. On email delivery, Outlook executes the rule, resulting in code execution (e.g., launching mshta.exe or PowerShell). Outlook spawns a non-standard child process, often unsanctioned, without user interaction.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d9faf04d01ed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0263Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.