Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0502: Analytic 0502

Adversary uses a tool like Ruler to configure a malicious Outlook folder Home Page that loads a remote or embedded HTML payload upon folder interaction. Execution chain begins with Outlook launching, a specific folder being accessed, and a suspicious child process being spawned or COM-based execution invoked.

EnterpriseAN0502AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on Outlook as an execution path, not just email delivery. A malicious Outlook folder Home Page can cause remote or embedded HTML content to load when a user interacts with a folder, with execution indicated by suspicious child processes or COM-based activity. For leaders, the practical issue is whether endpoint and email-client telemetry can show when trusted productivity software becomes the launch point for code execution.

Executive priority

Prioritize validation where Outlook is business-critical on Windows endpoints. This behavior can blur the line between email security, endpoint detection, and incident response ownership, so executives should ask whether the organization can prove visibility into Outlook-launched child processes, suspicious COM execution, and folder-interaction-triggered activity. The ATT&CK object does not provide tactics, mitigations, or relationships, so prioritization should be based on local exposure to Windows Outlook usage and the maturity of endpoint monitoring.

Technical view

For SOC and detection teams, validate monitoring around Outlook process behavior on Windows. The supplied analytic describes an execution chain beginning with Outlook launching, a specific folder being accessed, and then either a suspicious child process or COM-based execution. Detection engineering should focus on correlating Outlook process starts, folder interaction context where available, child process creation, command-line details, and COM-related execution evidence. Because no official detection logic is provided, teams should build and test detections against local baselines rather than assume ATT&CK supplies a complete rule.

Likely telemetry

  • Windows endpoint process creation events for Outlook and child processes
  • Command-line, parent-child process, and image path metadata
  • Endpoint telemetry for COM-based execution associated with Outlook
  • Email client or endpoint activity showing Outlook launch and folder access where available
  • Network telemetry for Outlook-initiated or child-process-initiated remote HTML/content retrieval where available

Detection direction

  • Baseline normal Outlook child-process behavior before alerting broadly, because legitimate add-ins and integrations may create noise.
  • Alert or investigate unusual child processes spawned from Outlook, especially when linked to folder interaction or HTML/content loading context.
  • Correlate Outlook activity with COM execution indicators where endpoint telemetry supports it.
  • Review telemetry gaps: many environments collect process events but not folder access context or detailed COM activity.
  • Treat this analytic as a validation objective rather than a ready-made rule, since the official detection field is not provided.

Mitigation priorities

  • Confirm Outlook hardening and endpoint control ownership between email, desktop engineering, IAM, and SOC teams.
  • Reduce unnecessary Outlook extensibility and add-in exposure where business requirements allow.
  • Ensure endpoint logging captures parent-child process relationships and command-line metadata for Outlook.
  • Validate incident response playbooks for investigating Outlook-launched execution, including evidence collection from endpoint, email client, and network sources.
  • Use this analytic to support control-assurance and compliance evidence showing that productivity applications are monitored as possible execution sources.
Analyst notes and limits

The object is a detection analytic, AN0502, for Windows in the enterprise ATT&CK domain. It describes malicious Outlook folder Home Page behavior using a tool like Ruler, but no relationship context, tactics, official detection logic, mitigations, groups, campaigns, or software mappings were supplied. The strongest defensive value is in validating telemetry and investigation readiness around Outlook-originated execution chains.

This take is limited to the supplied ATT&CK fields. It does not establish active exploitation, attribution, prevalence, impact, or guaranteed detectability. Local Outlook configuration, endpoint logging depth, EDR visibility, and business use of add-ins will determine practical coverage and false-positive rates.

Official MITRE ATT&CK definition

Analytic 0502

Adversary uses a tool like Ruler to configure a malicious Outlook folder Home Page that loads a remote or embedded HTML payload upon folder interaction. Execution chain begins with Outlook launching, a specific folder being accessed, and a suspicious child process being spawned or COM-based execution invoked.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bc14aa762258859b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bc14aa762258…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0502
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use