OUTLOOK.EXEEMAIL CLIENTOUTLOOK.EXE - Microsoft Outlook Security Analysis
OUTLOOK.EXE is **Microsoft Outlook email client**. It is a **primary phishing delivery vector** where malicious attachments and links arrive. Attackers exploit Outlook via **malicious attachments**, **OLE embedding**, and **CVE-2023-23397** (credential theft via meeting invite). Outlook spawning shells is **extremely suspicious**.
Risk Summary
HIGH priority for SOC triage. OUTLOOK.EXE is the primary vector for phishing delivery. Outlook spawning cmd.exe, powershell.exe, or wscript.exe indicates **active exploitation**. Monitor for attachment opens and child processes.
Overview
What is OUTLOOK.EXE?
Microsoft Outlook is an email and calendar client.
Security Significance
Primary Phishing Vector:
- Malicious attachments
- Phishing links
- Calendar invite attacks
- OLE embedded objects
Recent Vulnerabilities
- CVE-2023-23397: NTLM credential theft via calendar
- Various macro/attachment exploits
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Program Files\Microsoft Office...\OUTLOOK.EXE |
| Parent | explorer.exe |
| User | Logged-in user |
| Children | Rarely any |
Normal Child Processes
OUTLOOK.EXE
└── (none typically)
CRITICAL: Outlook should NOT spawn:
- cmd.exe
- powershell.exe
- wscript.exe
Common Locations
C:\Program Files\Microsoft Office\root\Office*\OUTLOOK.EXEC:\Program Files (x86)\Microsoft Office\root\Office*\OUTLOOK.EXESuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Parent: explorer.exe
Children: None typical
Behavior: Normal email operations
SUSPICIOUS
Children: cmd.exe → CRITICAL
powershell.exe → CRITICAL
wscript.exe → CRITICAL
Behavior: Opening executable attachments
SMB connections from meeting invites
Abuse Techniques
Attack Techniques
Technique #1: Malicious Attachment Execution (T1566.001)
Phishing Flow:
- User receives email with malicious attachment
- Opens .doc, .xls with macros
- Office app spawns shell
Technique #2: CVE-2023-23397 (T1187)
NTLM Credential Theft:
- Specially crafted meeting invite
- Contains UNC path to attacker server
- No user interaction required
Technique #3: OLE Embedding (T1204.002)
Embedded objects executing code when clicked.
Detection Guidance
Detection Strategies
Priority #1: Outlook Spawning Shells
Sigma Rule:
title: Outlook Spawning Shell
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\OUTLOOK.EXE'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
condition: selection
level: critical
Priority #2: CVE-2023-23397 Indicators
Process = "OUTLOOK.EXE" AND
NetworkConnection TO non-company SMB
→ ALERT: CRITICAL - Possible CVE-2023-23397
Priority #3: Attachment Opens
Monitor Outlook spawning Office apps that then spawn shells.
Remediation Steps
Protection and Remediation
Defense: Patch Outlook
Apply patches for CVE-2023-23397.
Defense: ASR Rules
Block Outlook from creating child processes.
Defense: Disable Preview
Disable automatic preview of attachments.
If Compromise Suspected
- Terminate Outlook
- Identify triggering email/invite
- Check for spawned processes
- Review NTLM authentication logs
- Change password if credentials exposed
Investigation Checklist
Investigation Checklist
- Check for child processes
- Identify triggering email
- Review attachment opens
- Check for CVE-2023-23397 indicators
- Review SMB connections
- Analyze email headers