{
	"id": "e31c5c5e-74e9-4896-8acf-42033f8906f4",
	"created_at": "2026-04-06T01:32:11.350184Z",
	"updated_at": "2026-04-10T03:20:32.708602Z",
	"deleted_at": null,
	"sha1_hash": "80d0da198bba98e378e8ffe5e9908e6f3e2d534e",
	"title": "Outlook Today Homepage Persistence",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 336278,
	"plain_text": "Outlook Today Homepage Persistence\r\nBy Ben Wilson\r\nPublished: 2018-09-15 · Archived: 2026-04-06 01:17:43 UTC\r\n5 min read\r\nSep 15, 2018\r\nOutlook Today\r\nUnder security update KB4011162, the homepage attack vector used by ruler was patched to prevent code execution.\r\nTherefore, I went investigating to see the extent of Microsoft’s patch. While I was investigating, I came across Outlook\r\nToday, which according to Microsoft, is a handy way to get a quick interactive summary of your calendar, tasks, and\r\nmessages for the current day. While I was looking through Outlook Today, I noticed that Outlook Today had a menu\r\ncalled data file properties (similar to properties under folders such as Inbox) and through that menu, you could once again\r\nset a homepage value.\r\nhttps://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943\r\nPage 1 of 6\n\nThis got me excited, but I needed to find out more about Outlook Today and explore the extent of my find. So opened up\r\nMFCMAPI and began exploring the properties. After hours and hours of searching for the original property\r\nPR_FOLDER_WEBVIEWINFO as well as other properties, which may hold the homepage value, it turned up nothing.\r\nAfter discussing with the developer of Ruler, Etienne Stalmans and the developer of MFCMAPI it was evident that the\r\nhomepage value could not be set remotely and had to be set through the registry under:\r\n“HKCU\\Software\\Microsoft\\Office\\16.0\\Outlook\\Today\\UserDefinedUrl”\r\nAfter hearing this, I decided not to give up and see if there was still a way to exploit this.\r\nhttps://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943\r\nPage 2 of 6\n\nPersistence\r\nI decided that if the Outlook Today Home Page could not be exploited remotely, it could still be used as a method of\r\npersistence, so I put my thinking cap back on and got back to work. Through research, I found that the Outlook Today\r\npage could be set as the startup folder in Outlook. This setting was located under File -\u003e Options -\u003e Advanced -\u003e Outlook\r\nstart and exit -\u003e Browse -\u003e Change Inbox to folder with your email address on it. This got me intrigued: if startup folders\r\ncan be set through the Outlook GUI then there must be a way to edit the values programmatically. After doing some\r\nresearch and browsing the registry, I found the registry key located here:\r\n“HKU\\yoursid\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046\\001e0336”\r\nIt turns out this key is just a bunch of random numbers but through setting Outlook Today as the startup folder through\r\nthe GUI and updating the registry we get this value: “IPF.TodaysOutlook”\r\nGreat, now we can set a custom URL for Outlook Today and set Outlook Today as the startup folder all through the\r\nregistry, right? Not quite. I noticed that while trying to set the Outlook Today home page after it had been set back to\r\ndefault (using the “Restore Defaults” button in the GUI) it failed. For some reason the registry was unable to override the\r\ndefault settings put in place by Outlook.\r\nOnce again, I went back to the registry to try to find some answers. While I was changing the default homepage and\r\nrestoring it while monitoring changes to the registry I realized that there was another value that was being changed, the\r\nstamp value found here:\r\n“HKCU\\Software\\Microsoft\\Office\\16.0\\Outlook\\Today\\Stamp”\r\nGet Ben Wilson’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nI found that every time you set a custom home page URL through Outlook GUI the Stamp value is set to 1, and every\r\ntime you restore the default settings the Stamp value is set back to 0. This explains why the registry is unable to override\r\nthe default settings as the Stamp value is acting as a lock and when the Stamp value is set to 1, the lock is open and new\r\nURLs are able to be set.\r\nSandbox Escape\r\nNow that we are able to set a custom URL for Outlook Today and set Outlook Today as the startup folder\r\nprogrammatically, we need to find a way to abuse the exploit and escape the sandbox. Using some basic VBScript and\r\nHTML, I achieved this easily:\r\n\u003chtml\u003e\r\n\u003chead\u003e\r\n\u003cmeta http-equiv=\"Content-Language\" content=\"en-us\"\u003e\r\n\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=windows-1252\"\u003e\r\n\u003ctitle\u003eOutlook\u003c/title\u003e\r\n\u003cscript id=clientEventHandlersVBS language=vbscript\u003e\r\n\u003c!--\r\nhttps://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943\r\nPage 3 of 6\n\nSub window_onload()\r\nSet w = window.external.OutlookApplication\r\nSet c = w.CreateObject(\"Wscript.Shell\")\r\nc.Run(\"calc.exe\")\r\nEnd Sub\r\n--\u003e\r\n\u003c/script\u003e\r\n\u003c/head\u003e\r\n\u003c/html\r\nInvisibility\r\nThis is great and all but, if we want our persistence to remain invisible to the user then we are going to have to hide our\r\nshell better than this. Currently when the user opens Outlook there is no data provided, which may raise suspicion\r\namongst observant users. To solve this we simply copy the default homepage URL for Outlook Today and paste it into\r\nInternet Explorer. It will look something like this.\r\nPress enter or click to view image in full size\r\nAfter that go to inspect element and then right click on the top of the HTML code and select copy\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943\r\nPage 4 of 6\n\nThen paste this code above the current HTML sandbox escape code and remove duplicate the tags and now we have an\r\ninvisible shell inside Outlook Today. Notice that the only difference between the two is the fact that our malicious page\r\ndoes not include the Inbox, Drafts and Outbox links shown under the Messages tab in the default Outlook Today home\r\npage.\r\nMalicious:\r\nPress enter or click to view image in full size\r\nDefault:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943\r\nPage 5 of 6\n\nConclusion\r\nI have reported this issue to Microsoft and they said that because this exploit requires some form of initial access they\r\nhave deemed it not serious enough to require a patch.\r\nAlthough this exploit requires either initial access or physical access to the target, it is still a great technique for\r\npersistence if you are having trouble gaining persistence access on a target. In addition, because the registry keys are\r\nlocated under user editable directories, only basic privileges are required on the target to execute this exploit.\r\nSource: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943\r\nhttps://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943"
	],
	"report_names": [
		"outlook-today-homepage-persistence-33ea9b505943"
	],
	"threat_actors": [],
	"ts_created_at": 1775439131,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80d0da198bba98e378e8ffe5e9908e6f3e2d534e.pdf",
		"text": "https://archive.orkl.eu/80d0da198bba98e378e8ffe5e9908e6f3e2d534e.txt",
		"img": "https://archive.orkl.eu/80d0da198bba98e378e8ffe5e9908e6f3e2d534e.jpg"
	}
}