anavem.
O
High RiskWindowsLegitimateCommonly Abused
OUTLOOK.EXEEMAIL CLIENT

OUTLOOK.EXE - Microsoft Outlook Security Analysis

OUTLOOK.EXE is Microsoft Outlook email client. It is a primary phishing delivery vector where malicious attachments and links arrive. Attackers exploit Outlook via malicious attachments, OLE embedding, and CVE-2023-23397 (credential theft via meeting invite). Outlook spawning shells is extremely suspicious.

0viewsLast verified: Jan 18, 2026

Risk Summary

HIGH priority for SOC triage. OUTLOOK.EXE is the primary vector for phishing delivery. Outlook spawning cmd.exe, powershell.exe, or wscript.exe indicates **active exploitation**. Monitor for attachment opens and child processes.

Overview

What is OUTLOOK.EXE?

Microsoft Outlook is an email and calendar client.

Security Significance

Primary Phishing Vector:

  • Malicious attachments
  • Phishing links
  • Calendar invite attacks
  • OLE embedded objects

Recent Vulnerabilities

  • CVE-2023-23397: NTLM credential theft via calendar
  • Various macro/attachment exploits

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\Program Files\Microsoft Office...\OUTLOOK.EXE
Parentexplorer.exe
UserLogged-in user
ChildrenRarely any

Normal Child Processes

OUTLOOK.EXE
└── (none typically)

CRITICAL: Outlook should NOT spawn:

Common Locations

C:\Program Files\Microsoft Office\root\Office*\OUTLOOK.EXEC:\Program Files (x86)\Microsoft Office\root\Office*\OUTLOOK.EXE

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Parent:      explorer.exe
Children:    None typical
Behavior:    Normal email operations

SUSPICIOUS

Children:    cmd.exe → CRITICAL
             powershell.exe → CRITICAL
             wscript.exe → CRITICAL
Behavior:    Opening executable attachments
             SMB connections from meeting invites

Abuse Techniques

Attack Techniques

Technique #1: Malicious Attachment Execution (T1566.001)

Phishing Flow:

  1. User receives email with malicious attachment
  2. Opens .doc, .xls with macros
  3. Office app spawns shell

Technique #2: CVE-2023-23397 (T1187)

NTLM Credential Theft:

  • Specially crafted meeting invite
  • Contains UNC path to attacker server
  • No user interaction required

Technique #3: OLE Embedding (T1204.002)

Embedded objects executing code when clicked.

Detection Guidance

Detection Strategies

Priority #1: Outlook Spawning Shells

Sigma Rule:

title: Outlook Spawning Shell
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '\OUTLOOK.EXE'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\wscript.exe'
  condition: selection
level: critical

Priority #2: CVE-2023-23397 Indicators

Process = "OUTLOOK.EXE" AND
NetworkConnection TO non-company SMB
→ ALERT: CRITICAL - Possible CVE-2023-23397

Priority #3: Attachment Opens

Monitor Outlook spawning Office apps that then spawn shells.

Remediation Steps

Protection and Remediation

Defense: Patch Outlook

Apply patches for CVE-2023-23397.

Defense: ASR Rules

Block Outlook from creating child processes.

Defense: Disable Preview

Disable automatic preview of attachments.

If Compromise Suspected

  1. Terminate Outlook
  2. Identify triggering email/invite
  3. Check for spawned processes
  4. Review NTLM authentication logs
  5. Change password if credentials exposed

Investigation Checklist

Investigation Checklist

  • Check for child processes
  • Identify triggering email
  • Review attachment opens
  • Check for CVE-2023-23397 indicators
  • Review SMB connections
  • Analyze email headers

MITRE ATT&CK Techniques

- - -