LoFP / a legitimate vba for outlook is usually configured interactively via outlook.exe.

Techniques

• T1137

Sample rules

Persistence via Microsoft Outlook VBA

• source: elastic
• technicques:
  • T1137

Description

Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.

Detection logic

file where host.os.type == "windows" and event.type != "deletion" and
 file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM"