DET0029: Detect Persistence via Outlook Custom Forms Triggered by Malicious Email
DET0029 points defenders at a persistence risk involving malicious Microsoft Outlook custom forms: an attacker who has already reached a mailbox or system...
Analyst context for executives and security teams
DET0029 points defenders at a persistence risk involving malicious Microsoft Outlook custom forms: an attacker who has already reached a mailbox or system may add a form that can run code when triggered by a crafted email and load when Outlook starts. For leaders, the practical issue is not just email security; it is whether endpoint, mailbox, and incident response processes can find persistence hidden inside user productivity tooling.
Executive priority
Prioritize this as an identity, endpoint, and email-resilience validation item where Outlook is business-critical. Security leaders should ask whether teams can prove visibility into Outlook form changes, mailbox artifacts, Outlook startup behavior, and suspicious email-triggered execution. This matters for incident scoping and audit evidence because persistence in Office tooling can survive routine user activity and may be missed if monitoring focuses only on malware files or login events.
Technical view
The supplied detection strategy has no official detection text, so SOC and IR teams should anchor validation to the related ATT&CK technique T1137.003, Outlook Forms, under persistence on Windows and Office Suite. Confirm whether investigations can correlate custom Outlook form presence or changes with crafted inbound email, Outlook process activity, and user mailbox context. Detection engineering should avoid assuming that email gateway logs alone are sufficient; the relationship context implies persistence may reside in the mailbox and execute through Outlook behavior.
Likely telemetry
- Microsoft Outlook and Office application activity on Windows endpoints
- Mailbox and Exchange/Office Suite audit records showing custom form creation, modification, publication, or access where available
- Email metadata for messages that may trigger a custom form
- Endpoint process execution and child-process activity associated with Outlook
- User and mailbox identity context for the affected account
Detection direction
- Validate that monitoring covers both mailbox-side artifacts and Windows endpoint behavior, since the related technique spans Office Suite and Windows.
- Tune for unusual or unauthorized custom Outlook forms, especially when followed by Outlook startup or crafted-message interaction.
- Correlate suspicious email delivery with Outlook execution activity and the affected user mailbox rather than treating these as separate alerts.
- Account for false positives from legitimate business or legacy Outlook form usage; baseline approved forms and owners where possible.
- Document blind spots where mailbox auditing, endpoint telemetry, or Office application logging is unavailable.
Mitigation priorities
- Inventory and govern legitimate Outlook custom form usage before relying on anomaly-based detection.
- Restrict and review who can create or publish custom Outlook forms where administrative controls allow it.
- Ensure endpoint and mailbox logging required for persistence investigations is enabled and retained.
- Include Outlook form and mailbox artifact checks in incident response playbooks for suspected persistence.
- Use detection validation exercises to confirm SOC analysts can pivot from suspicious email to Outlook endpoint behavior and mailbox artifacts.
Analyst notes and limits
This take is derived from ATT&CK detection strategy DET0029 and its relationship to technique T1137.003, Outlook Forms. The ATT&CK object itself provides no official description, detection logic, tactics, or platforms; the practical guidance is therefore tied to the related technique’s persistence context and listed Windows and Office Suite platforms.
No official DET0029 detection text, data sources, analytics, mitigations, or procedure examples were supplied. Local Microsoft 365/Exchange/Outlook configuration, logging availability, and legitimate Outlook form usage must be reviewed before creating firm detection rules or control assertions.
Detect Persistence via Outlook Custom Forms Triggered by Malicious Email
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1137.003 | Outlook Forms Sub-technique | This object detects Outlook Forms. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5581ea5dd4c2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0029Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.