-
Notifications
You must be signed in to change notification settings - Fork 19
Detection & Mitigation
Oddvar Moe edited this page Jul 29, 2024
·
4 revisions
Detections should trigger when the value URL is added under the following registry keys:
HKCU\Software\Microsoft\Office\[*VERSION]\Outlook\Today
HKCU\Software\Microsoft\Office\[*VERSION]\Outlook\Webiview\[**FOLDER]
* 14.0, 15.0, 16.0
** Inbox, Calendar, Contacts, Deleted Items, Drafts, Journal, Junk E-mail, Notes, Outbox, RSS, Sent Mail, Tasks
## Mitigations
1. Switch to new Outlook. This will turn the Outlook desktop client into a more modern version that lacks the legacy features.
2. Disable VBScript Engine in Windows 11 24H2 and newer. VBScript will be automatically turned off as a default feature as of 2027 ([https://techcommunity.microsoft.com/t5/windows-it-pro-blog/vbscript-deprecation-timelines-and-next-steps/ba-p/4148301](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/vbscript-deprecation-timelines-and-next-steps/ba-p/4148301)).
3. Download the ADMX for Office and set the following Group Policy settings:
User Configuration > Policies > Administrative Templates > Microsoft Outlook 2016 > Folder Home Pages for Outlook Special Folders > Do not allow Home Page URL to be set in folder Properties (Set to enabled)
User Configuration > Policies > Administrative Templates > Microsoft Outlook 2016 > Outlook Today Settings > Outlook Today availability (Set to disabled)
4. Implement baselines from the Microsoft Security Compliance Toolkit ([https://www.microsoft.com/en-us/download/details.aspx?id=55319](https://www.microsoft.com/en-us/download/details.aspx?id=55319)). These baselines locks down the web engine that Outlook uses for rendering HTML and VBScript, causing it to not run the scripts.