outlook.exe

outlook.exe is the Outlook mail client. It sends and receives email and opens attachments and links, which is where user-driven compromise usually begins. Outlook is part of Microsoft Office, installed under C:\Program Files\Microsoft Office (or the (x86) path), signed by Microsoft. It also supports inbox rules, custom forms, an editable home page, and add-ins, all of which can be made to run code. Microsoft's newer WebView2-based client, the new Outlook for Windows (olk.exe), is a separate Store app with a different footprint and is profiled on its own page. This entry covers the classic desktop client.

Legitimately, outlook.exe runs on most office desktops all day, parented by explorer.exe. Reading and sending mail is unremarkable. Outlook being upstream of a shell, or new automation configured inside it, is not.

Outlook is the doorway for phishing (T1566.001): a spearphishing attachment or link arrives by email, and when the user opens it the attached document or program runs, frequently with Outlook or the document app as the visible parent (T1204.002). Outlook spawning, or being upstream of, a shell or script host shortly after a message is read is the chain to recognize.

Outlook is also a durable persistence surface (T1137). Malicious inbox rules, custom forms, an attacker-set home page, and rogue add-ins can each execute code when Outlook runs or when a triggering message arrives, persistence that lives in the mailbox or profile rather than on disk and can return after reimaging if it syncs from the server. New or unexpected rules, forms, or add-ins tied to Outlook deserve review.