Suspicious File Created in Outlook Temporary Directory

Original Source: [Sigma source]
Title: Suspicious File Created in Outlook Temporary Directory
Status: experimental
Description:Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
References:
  -https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
   -https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
   -https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
 Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-07-22
modified:None
Tags:
  • -'attack.initial-access'
  • -'attack.t1566.001'
Logsource:
  • product: windows
  • category: file_event
Detection:
  selection_extension:
    TargetFilename|endswith:
      -'.cpl'
      -'.hta'
      -'.iso'
      -'.rdp'
      -'.svg'
      -'.vba'
      -'.vbe'
      -'.vbs'

  selection_location:
    - TargetFilename|contains:
      - '\AppData\Local\Packages\Microsoft.Outlook_'
      - '\AppData\Local\Microsoft\Olk\Attachments\'
    - TargetFilename|contains|all:
      - '\AppData\Local\Microsoft\Windows\'
      - '\Content.Outlook\'
  condition:all of selection_*
Falsepositives:
  -Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments
Level: high

© 2024 DetectionCode Website. All Rights Reserved.