Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0177: Detect Persistence via Outlook Home Page Exploitation

DET0177 is a detection strategy for finding persistence that abuses the legacy Microsoft Outlook Home Page feature. The business significance is that persi...

EnterpriseDET0177Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0177 is a detection strategy for finding persistence that abuses the legacy Microsoft Outlook Home Page feature. The business significance is that persistence can be hidden inside a familiar productivity application, so recovery and containment may fail if responders only remove malware files or reset accounts without checking Outlook-specific configuration. Because the related ATT&CK technique is tied to Windows and Office Suite environments, this is most relevant where Outlook desktop use is in scope.

Executive priority

Treat this as an assurance question for endpoint, identity, and incident response readiness: can the organization prove it would notice or investigate suspicious Outlook Home Page configuration used for persistence? Leaders should prioritize validation where Outlook is business-critical, where privileged users rely on Office, or where incident response playbooks must demonstrate complete eradication of persistence mechanisms. The supplied ATT&CK object does not include an official detection procedure, so budget and control decisions should be based on local telemetry availability and tested response workflows rather than assumed coverage.

Technical view

The detection strategy maps to ATT&CK technique T1137.004, Outlook Home Page, under the persistence tactic. SOC and IR teams should validate whether they can observe changes to Outlook Home Page-related configuration and correlate those changes with user, process, endpoint, and Office activity. Because the detection strategy itself has no official detection text and no platforms listed, engineering should use the related technique context conservatively: focus on Windows endpoints running Outlook/Office Suite and confirm what local logs, endpoint telemetry, and configuration baselines actually expose.

Likely telemetry

  • Endpoint configuration or registry-change telemetry related to Outlook folder Home Page settings
  • EDR process and parent/child process activity involving Outlook and associated script or browser components
  • File and web access evidence for internal or external URLs loaded by Outlook Home Page behavior
  • User and host inventory showing Outlook/Office Suite presence on Windows systems
  • Change-management or endpoint baseline data for expected Outlook configuration

Detection direction

  • Validate that detection content looks for unexpected Outlook Home Page configuration changes rather than only generic malware execution.
  • Baseline legitimate Outlook customization, if any, to reduce false positives from sanctioned legacy configuration.
  • Correlate configuration changes with the user account, host, time, Outlook activity, and any subsequent code execution or network access.
  • Check for blind spots on unmanaged Windows endpoints, lightly monitored executive workstations, and systems where Office telemetry is not centrally collected.
  • Use the relationship to T1137.004 as context for persistence hunting, but do not assume ATT&CK supplied a complete analytic because the official detection field is not provided.

Mitigation priorities

  • Inventory where Outlook desktop and Office Suite are used so the detection scope is explicit.
  • Review whether the legacy Outlook Home Page feature is needed; if not needed, assess policy or configuration options to restrict abuse.
  • Harden and monitor endpoint configuration changes affecting Office and user profile persistence locations.
  • Include Outlook Home Page checks in incident response persistence review and eradication procedures.
  • Document telemetry sources, detections, and response evidence for audit and compliance readiness where Office endpoint controls are in scope.
Analyst notes and limits

This take is based on the detection strategy object DET0177 and its relationship to ATT&CK technique T1137.004, Outlook Home Page. The relationship provides the key context: adversaries may abuse Outlook's legacy Home Page feature to load a malicious page for persistence, and the related technique is associated with Windows and Office Suite under persistence. Defensive value depends on whether the organization can observe Outlook configuration changes and correlate them with endpoint and user activity.

The supplied detection strategy has no official description, no official detection text, no tactics, and no platforms of its own. Recommendations therefore remain validation-oriented and are derived only from the related technique context. Local environment evidence is required to determine actual exposure, legitimate use, telemetry coverage, and detection efficacy.

Official MITRE ATT&CK definition

Detect Persistence via Outlook Home Page Exploitation

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1137.004 Outlook Home Page Sub-technique This object detects Outlook Home Page.
Relationship explorer

All related ATT&CK context

detects · Technique T1137.004: Outlook Home Page Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
47953d061ced731b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 47953d061ced…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0177
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use