LoFP / a legitimate vba for outlook is usually configured interactively via outlook.exe.

Techniques

T1137

Sample rules

Persistence via Microsoft Outlook VBA

source: elastic
technicques:
- T1137

Description

Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.

Detection logic

file where host.os.type == "windows" and event.type != "deletion" and
  file.name : "VbaProject.OTM" and
  file.path : ("?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM", "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM")