MITRE ATT&CK Technique
Persistence
T1137
Description
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
Supported Platforms
Windows
Office Suite
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may leverage Microsoft Office-based applications '
'for persistence between startups. Microsoft Office is a '
'fairly common application suite on Windows-based operating '
'systems within an enterprise network. There are multiple '
'mechanisms that can be used with Office for persistence when '
'an Office-based application is started; this can include the '
'use of Office Template Macros and add-ins.\n'
'\n'
'A variety of features have been discovered in Outlook that '
'can be abused to obtain persistence, such as Outlook rules, '
'forms, and Home Page.(Citation: SensePost Ruler GitHub) These '
'persistence mechanisms can work within Outlook or be used '
'through Office 365.(Citation: TechNet O365 Outlook Rules)',
'external_references': [{'external_id': 'T1137',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1137'},
{'description': 'Fox, C., Vangel, D. (2018, April '
'22). Detect and Remediate Outlook '
'Rules and Custom Forms Injections '
'Attacks in Office 365. Retrieved '
'February 4, 2019.',
'source_name': 'Microsoft Detect Outlook Forms',
'url': 'https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack'},
{'description': 'Koeller, B.. (2018, February 21). '
'Defending Against Rules and Forms '
'Injection. Retrieved November 5, '
'2019.',
'source_name': 'TechNet O365 Outlook Rules',
'url': 'https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/'},
{'description': 'Parisi, T., et al. (2017, July). '
'Using Outlook Forms for Lateral '
'Movement and Persistence. Retrieved '
'February 5, 2019.',
'source_name': 'CrowdStrike Outlook Forms',
'url': 'https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746'},
{'description': 'SensePost. (2016, August 18). Ruler: '
'A tool to abuse Exchange services. '
'Retrieved February 4, 2019.',
'source_name': 'SensePost Ruler GitHub',
'url': 'https://github.com/sensepost/ruler'},
{'description': 'SensePost. (2017, September 21). '
'NotRuler - The opposite of Ruler, '
'provides blue teams with the ability '
'to detect Ruler usage against '
'Exchange. Retrieved February 4, '
'2019.',
'source_name': 'SensePost NotRuler',
'url': 'https://github.com/sensepost/notruler'},
{'description': 'Soutcast. (2018, September 14). '
'Outlook Today Homepage Persistence. '
'Retrieved February 5, 2019.',
'source_name': 'Outlook Today Home Page',
'url': 'https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943'}],
'id': 'attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:34.614Z',
'name': 'Office Application Startup',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Nick Carr, Mandiant',
'Microsoft Threat Intelligence Center (MSTIC)',
'Sahar Shukrun',
'Praetorian',
'Loic Jaquemet',
'Ricardo Dias'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'Office Suite'],
'x_mitre_version': '1.4'}