LoFP / legitimate use of outlook forms

Techniques

• t1137
• t1137.003

Sample rules

Potential Persistence Via Outlook Form

• source: sigma
• technicques:
  • t1137
  • t1137.003

Description

Detects the creation of a new Outlook form which can contain malicious code

Detection logic

condition: selection
selection:
  Image|endswith: \outlook.exe
  TargetFilename|contains:
  - \AppData\Local\Microsoft\FORMS\IPM
  - \Local Settings\Application Data\Microsoft\Forms