DET0095: Detect Persistence via Malicious Outlook Rules
DET0095 is a MITRE ATT&CK detection strategy for persistence through malicious Microsoft Outlook rules. The business issue is that email automation can bec...
Analyst context for executives and security teams
DET0095 is a MITRE ATT&CK detection strategy for persistence through malicious Microsoft Outlook rules. The business issue is that email automation can become a persistence mechanism: a compromised mailbox or workstation may retain attacker-controlled behavior that is triggered later by crafted email. For leaders, this matters because remediation is not only about resetting credentials or cleaning an endpoint; teams must also validate mailbox rule state and the evidence needed to prove persistence was removed.
Executive priority
Prioritize this as an identity, email, SOC, and incident response readiness question: can the organization identify suspicious Outlook rule creation or modification and confirm that malicious rules were removed during containment? Because the related ATT&CK technique is Persistence on Windows and Office Suite, coverage depends on whether email administration, endpoint, and audit telemetry are retained and reviewable. This is especially relevant for incident closure evidence, mailbox compromise investigations, and control validation around user-driven automation.
Technical view
This strategy detects ATT&CK T1137.005, Outlook Rules. SOC and IR teams should validate visibility into Outlook rule creation, modification, and execution-related artifacts, especially rules that trigger automated behavior or code execution when a specific email is received. Since the official detection strategy object does not provide detection logic, platforms, or tactics, detection engineering should be anchored to the related technique context: persistence via Outlook rules in Windows and Office Suite environments.
Likely telemetry
- Mailbox audit logs for inbox rule creation, modification, deletion, and ownership context
- Email administration or Office Suite audit events related to Outlook rule changes
- Endpoint evidence from Windows systems where Outlook is used, when available
- Incident response collection of user mailbox configuration and current Outlook rules
- Authentication and account activity around the time suspicious rules are created or changed
Detection direction
- Validate that mailbox rule changes are logged with enough detail to identify the rule creator, target mailbox, timestamp, conditions, and actions.
- Hunt for unusual or high-risk rule behavior, including rules designed to react to specific senders, subjects, keywords, or crafted messages, while accounting for legitimate user automation.
- Correlate suspicious rule changes with account compromise indicators, unusual mailbox access, or endpoint investigation findings.
- Confirm whether rules persist after password resets or endpoint remediation; this is a common investigation blind spot for persistence mechanisms.
- Because the ATT&CK object provides no official detection text, tune detections using local baselines and incident history rather than assuming a universal rule will be reliable.
Mitigation priorities
- Ensure incident response playbooks include inspection and cleanup of Outlook rules for affected mailboxes.
- Retain and routinely test access to mailbox and Office Suite audit logs needed to reconstruct rule changes.
- Apply least-privilege and strong identity controls around mailbox access and email administration where applicable.
- Create administrative procedures for reviewing suspicious or unexpected rule configurations during mailbox compromise investigations.
- Document evidence of rule review and remediation for audit, compliance, and incident closure.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description or detection text. The useful context comes from its relationship to T1137.005, Outlook Rules, which describes adversary abuse of Outlook rules for persistence and possible code execution triggered by crafted email. Treat this as a coverage validation prompt rather than a complete analytic.
Platforms and tactics are not specified on the detection strategy object itself. Windows, Office Suite, and Persistence are derived only from the related technique. No active exploitation, actor attribution, impact claims, or guaranteed detection coverage are provided by the supplied data.
Detect Persistence via Malicious Outlook Rules
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1137.005 | Outlook Rules Sub-technique | This object detects Outlook Rules. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 780cf2d5cbb0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0095Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.