
Summary
This detection rule identifies unusual program executions originating from the Outlook temporary folder on Windows systems. The main focus is on files located within the '\Temporary Internet Files\Content.Outlook\' path, suggesting that the rule targets potential malware or unauthorized scripts that could be downloaded or executed through Outlook. The execution of programs from this temporary location is often indicative of phishing attempts or other malicious activities that leverage social engineering to compromise user systems. The rule employs process creation events to monitor and alert on any such instances that match the designated filepath pattern. It has been classified with a high severity level to ensure prompt investigation and response to potential threats originating from Outlook.
Categories
- Endpoint
- Windows
Data Sources
- Process
Created: 2019-10-01