Esc
Outlook Forms - T1137.003

(ATT&CK® Technique)
Definition

Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1137003["Outlook Forms"] --> |adds| OfficeApplicationFile["Office Application File"]; class T1137003 OffensiveTechniqueNode;
        class OfficeApplicationFile ArtifactNode; click OfficeApplicationFile href "/dao/artifact/d3f:OfficeApplicationFile";
        click T1137003 href "/offensive-technique/attack/T1137.003/"; click OfficeApplicationFile href "/dao/artifact/d3f:OfficeApplicationFile";             DecoyFile["Decoy File"] -->
          | spoofs | OfficeApplicationFile["Office Application File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1137003["Outlook Forms"] ;
          class DecoyFile DefensiveTechniqueNode;
          class OfficeApplicationFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | OfficeApplicationFile["Office Application File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1137003["Outlook Forms"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class OfficeApplicationFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";                           EmulatedFileAnalysis["Emulated File Analysis"] -->
          | analyzes | OfficeApplicationFile["Office Application File"];

          EmulatedFileAnalysis["Emulated File Analysis"] -.->
            | may-detect | T1137003["Outlook Forms"] ;
          class EmulatedFileAnalysis DefensiveTechniqueNode;
          class OfficeApplicationFile ArtifactNode;
          click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
          | analyzes | OfficeApplicationFile["Office Application File"];

          DynamicAnalysis["Dynamic Analysis"] -.->
            | may-detect | T1137003["Outlook Forms"] ;
          class DynamicAnalysis DefensiveTechniqueNode;
          class OfficeApplicationFile ArtifactNode;
          click DynamicAnalysis href "/technique/d3f:DynamicAnalysis";                           FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | OfficeApplicationFile["Office Application File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1137003["Outlook Forms"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class OfficeApplicationFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                            FileEviction["File Eviction"] -->
          | deletes | OfficeApplicationFile["Office Application File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1137003["Outlook Forms"] ;
          class FileEviction DefensiveTechniqueNode;
          class OfficeApplicationFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
          | encrypts | OfficeApplicationFile["Office Application File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1137003["Outlook Forms"] ;
          class FileEncryption DefensiveTechniqueNode;
          class OfficeApplicationFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";                         RestoreFile["Restore File"] -->
          | restores | OfficeApplicationFile["Office Application File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1137003["Outlook Forms"] ;
          class RestoreFile DefensiveTechniqueNode;
          class OfficeApplicationFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
          | analyzes | OfficeApplicationFile["Office Application File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1137003["Outlook Forms"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class OfficeApplicationFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";                             RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | OfficeApplicationFile["Office Application File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1137003["Outlook Forms"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class OfficeApplicationFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";
json