Skip to content

Detection & Mitigation

Jump to bottom
Oddvar Moe edited this page Aug 2, 2024 · 4 revisions

Detections

Detections should trigger when the value URL is added under the following registry keys:

HKCU\Software\Microsoft\Office\[*VERSION]\Outlook\Today
HKCU\Software\Microsoft\Office\[*VERSION]\Outlook\Webview\[**FOLDER]
* 14.0, 15.0, 16.0
** Inbox, Calendar, Contacts, Deleted Items, Drafts, Journal, Junk E-mail, Notes, Outbox, RSS, Sent Mail, Tasks

Mitigations

  1. Switch to new Outlook. This will turn the Outlook desktop client into a more modern version that lacks the legacy features.
  2. Disable VBScript Engine in Windows 11 24H2 and newer. VBScript will be automatically turned off as a default feature as of 2027 (https://techcommunity.microsoft.com/t5/windows-it-pro-blog/vbscript-deprecation-timelines-and-next-steps/ba-p/4148301).
  3. Download the ADMX for Office and set the following Group Policy settings:
User Configuration > Policies > Administrative Templates > Microsoft Outlook 2016 > Folder Home Pages for Outlook Special Folders > Do not allow Home Page URL to be set in folder Properties (Set to enabled)

User Configuration > Policies > Administrative Templates > Microsoft Outlook 2016 > Outlook Today Settings > Outlook Today availability (Set to disabled)
  1. Implement baselines from the Microsoft Security Compliance Toolkit (https://www.microsoft.com/en-us/download/details.aspx?id=55319). These baselines locks down the web engine that Outlook uses for rendering HTML and VBScript, causing it to not run the scripts.
Clone this wiki locally