cti/enterprise-attack/attack-pattern/attack-pattern--bf147104-abf9-4221-95d1-e81585859441.json

{
    "type": "bundle",
    "id": "bundle--88931585-58cf-4b64-8aa9-4b7751655736",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--bf147104-abf9-4221-95d1-e81585859441",
            "created": "2019-11-07T20:09:56.536Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1137/004",
                    "external_id": "T1137.004"
                },
                {
                    "source_name": "Microsoft Detect Outlook Forms",
                    "description": "Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019.",
                    "url": "https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack"
                },
                {
                    "source_name": "SensePost NotRuler",
                    "description": "SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.",
                    "url": "https://github.com/sensepost/notruler"
                },
                {
                    "source_name": "SensePost Outlook Home Page",
                    "description": "Stalmans, E. (2017, October 11). Outlook Home Page \u2013 Another Ruler Vector. Retrieved February 4, 2019.",
                    "url": "https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2025-10-24T17:49:18.872Z",
            "name": "Outlook Home Page",
            "description": "Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)\n\nOnce malicious home pages have been added to the user\u2019s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page)\n",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "persistence"
                }
            ],
            "x_mitre_attack_spec_version": "3.2.0",
            "x_mitre_deprecated": false,
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_is_subtechnique": true,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Windows",
                "Office Suite"
            ],
            "x_mitre_version": "1.2"
        }
    ]
}