CVE-2017-11774

What Is the Outlook Home Page Feature?

Microsoft Outlook includes a "Folder Home Page" feature that allows users or administrators to configure a web page URL to display inside the Outlook application when opening a mail folder. This feature — primarily intended for corporate intranet portals displayed inside the Outlook client — renders the specified URL using the embedded IE browser engine within the Outlook process. Since the rendered page operates in the Local Machine security zone (not the Internet zone), scripts and ActiveX controls on the page run with elevated privileges, making the Home Page feature a powerful execution primitive if an attacker can set a malicious URL.

Overview

CVE-2017-11774 is a security feature bypass vulnerability in Microsoft Office Outlook that allows an attacker to execute arbitrary commands by abusing the Outlook folder Home Page feature. An attacker who can manipulate Outlook folder properties — via Exchange mailbox manipulation, OWA exploitation, a phishing document, or post-compromise access — can set a folder's Home Page URL to an attacker-controlled web page. When the victim opens the affected folder in Outlook, the malicious page renders in the Local Machine zone, enabling scripted code execution. Patched in the October 2017 Patch Tuesday. Exploited by APT33 (Iranian state-sponsored) as a persistence and command execution mechanism. CISA added CVE-2017-11774 to the KEV catalog in November 2021.

Affected Versions

Technical Details

Root Cause: Home Page Feature Executes Attacker-Controlled Content in Privileged Zone

CVE-2017-11774 exploits the Outlook Home Page feature (also called "Folder Home Page") which loads a URL in an embedded Internet Explorer browser within the Outlook application. The security flaw is that:

1. Privileged execution context: Content rendered via the Outlook Home Page operates in the Local Machine zone rather than the Internet zone — significantly fewer security restrictions apply, and scripts can access local resources and execute commands
2. Folder property manipulation: Folder home page URLs are stored as folder properties in the MAPI store (Exchange mailbox) — any access that allows modifying these properties (OWA, MAPI direct access, or post-compromise mailbox manipulation) can set a malicious URL
3. Persistence mechanism: Once set, the malicious home page URL persists in the mailbox — every time the victim opens the affected folder in Outlook, the attacker's page executes, providing persistent code execution without requiring any additional user interaction

APT33 exploitation pattern: APT33 (Holmium, also known as Elfin) — an Iranian state-sponsored threat actor targeting aerospace and energy companies — used CVE-2017-11774 as part of a persistence toolkit. After obtaining initial access via phishing, APT33 would modify Outlook folder properties to set malicious home page URLs, creating persistent execution that triggered each time the victim checked email.

Attack Characteristics

Discovery

Discovered and reported to Microsoft through coordinated disclosure; patched in October 2017. Subsequent public research by security firms documented APT33's use of CVE-2017-11774 as a persistence mechanism.

Exploitation Context

• APT33 persistence toolkit: APT33 incorporated CVE-2017-11774 into their post-compromise persistence repertoire — after gaining initial access, they modified Outlook folder home pages to point to actor-controlled infrastructure, providing a C2 callback mechanism that fired each time the victim opened Outlook; this proved difficult to detect because it appeared as normal Outlook browsing activity in proxy logs
• TEMP.Zagros and related Iranian groups: Multiple Iranian threat actor groups used Outlook Home Page abuse for persistence in targeted intrusions against US and Middle Eastern aerospace, energy, and defense organizations; CVE-2017-11774 provided a low-detection-rate persistence method compared to registry run keys or scheduled tasks
• Post-compromise escalation: CVE-2017-11774 is most valuable post-compromise — after initial access, setting the Home Page URL requires no additional vulnerabilities, only the ability to modify mailbox folder properties (which any authenticated user can do for their own mailbox)
• CISA KEV (2021): Added November 3, 2021 in the initial KEV batch, reflecting its use by confirmed threat actor groups in targeted intrusions

Remediation

1. Apply October 2017 Office security update — install the October 10, 2017 security update for all Microsoft Office/Outlook versions.

2. Disable Outlook Home Page feature via Group Policy — prevent Outlook from loading folder home pages entirely using the Group Policy setting:

   • User Configuration → Administrative Templates → Microsoft Outlook → Miscellaneous → "Turn off the folder Home Page web feature for folders"

3. Hunt for malicious Home Page URLs — if CVE-2017-11774 exploitation is suspected, inspect Outlook folder properties for unexpected Home Page URLs:

   • Use MFCMAPI or Exchange admin tools to enumerate folder home page properties across mailboxes
   • Alert on any home page URL pointing to external or unexpected internal hosts

4. Monitor Outlook for network connections — Outlook should rarely make outbound HTTP connections during normal operation; alert when Outlook.exe establishes connections to external IPs or domains not related to Exchange/O365.

5. Block Outlook in Restricted Sites zone — configure Outlook to render Home Page content in the Restricted Sites zone rather than the Local Machine zone (available via registry policy after patching) to limit script execution capabilities.