diff --git a/Server/rules/py/action.py b/Server/rules/py/action.py
index e534db6..70959d8 100644
--- a/Server/rules/py/action.py
+++ b/Server/rules/py/action.py
@@ -1,4 +1,11 @@
 rule = [
+    {
+        'rules': [
+            'action == "filecreate" and targetfilename =~ "c:\\users\\.*\\appdata\\roaming\\microsoft\\outlook\\vbaproject.otm"'
+        ],
+        'score': 300,
+        'name': '已知Outlook模板宏持久化行为'
+    },
     {
         'rules': [
             'action == "processaccess" and targetimage =~ ".*lsass.exe" and grantedaccess & 0x0010 and sourceimage =~ ".*rundll32.exe"',