This detection rule identifies modifications in registry keys associated with the Outlook Home Page feature, which adversaries may exploit for command and control (C2) or for persistence. The rule specifically targets registry changes that reflect URL configurations pointing to HTTP(S) resources. It utilizes an EQL (Event Query Language) query to monitor various Windows registry paths related to Outlook, filtering out deletion events to focus on suspicious additions or updates. By analyzing the presence of specific registry entries, analysts can uncover potential redirecting to malicious sites, prompting further investigation. Moreover, the rule requires integration with several data sources, including winlogbeat, Microsoft Defender for Endpoint, and SentinelOne, ensuring a comprehensive analysis of registry activity on Windows systems. A thorough investigation should follow any triggers of this rule, involving the validation of URLs, examination of modification history, and correlation with other security events. This ensures not only detection but also effective response strategies dealing with possible malicious exploitation of the Outlook application.