T1221

Template Injection

Adversaries abuse template references embedded in Office Open XML (OOXML) documents and RTF files to conceal and deliver malicious payloads. DOCX, XLSX, and PPTX files are ZIP archives containing an XML relationship file (word/_rels/document.xml.rels) that can reference an external template URL via an attachedTemplate relationship. When the document is opened, the Office application fetches the remote template, which may deliver VBA macros, exploits, or shellcode that are absent from the original lure document — bypassing static file analysis. RTF files can be modified to include a \*\template control word pointing to a remote URL, triggering a fetch on open. Both vectors are used to deliver malicious macros (APT28 remote template macro delivery), execute exploits (Confucius, WarzoneRAT via RTF exploit embedding), or capture NTLM credentials by injecting SMB UNC paths that trigger forced authentication (Dragonfly, DarkHydrus/Phishery). Real-world campaigns frequently deliver these lures via phishing (T1566) or tainted shared content (T1080). The technique is effective because the initial document contains no traditional indicators — no embedded VBA, no OLE streams, no scripts — making gateway scanning and sandboxes that do not perform dynamic network fetching ineffective.

Microsoft Sentinel / Defender

kusto

let OfficeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe", "msaccess.exe", "visio.exe"]);
let MicrosoftInfra = dynamic([
  "microsoft.com", "office.com", "live.com", "microsoftonline.com",
  "windows.net", "sharepoint.com", "officecdn.microsoft.com",
  "officecdna.microsoft.com", "skype.com", "bing.com", "msecnd.net",
  "msftncsi.com", "trafficmanager.net", "azure.com", "azurefd.net"
]);
// Branch 1: Office apps fetching remote templates via HTTP/HTTPS from non-Microsoft hosts
let RemoteHTTPFetch = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (OfficeApps)
| where RemotePort in (80, 443, 8080, 8443)
| where RemoteIPType == "Public"
| where not(RemoteUrl has_any (MicrosoftInfra))
| extend AlertType = "RemoteTemplateFetch"
| extend RiskDetail = strcat("Office process ", InitiatingProcessFileName, " fetched external URL: ", RemoteUrl)
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, InitiatingProcessId,
          RemoteIP, RemotePort, RemoteUrl, AlertType, RiskDetail;
// Branch 2: Office apps connecting to SMB port — forced NTLM authentication
let ForcedAuthSMB = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (OfficeApps)
| where RemotePort == 445
| where RemoteIPType in ("Public", "Private")
| extend AlertType = "ForcedAuthSMB_NTLMCapture"
| extend RiskDetail = strcat("Office process ", InitiatingProcessFileName, " initiated SMB connection to ", RemoteIP, ":445 — potential NTLM hash capture")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, InitiatingProcessId,
          RemoteIP, RemotePort, RemoteUrl, AlertType, RiskDetail;
// Branch 3: Child process spawned directly by Office — indicates payload execution post-template-load
let OfficeChildExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (OfficeApps)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
                       "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
                       "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe",
                       "svchost.exe", "conhost.exe")
| extend AlertType = "OfficeChildProcess_PostTemplateExec"
| extend RiskDetail = strcat("Office process ", InitiatingProcessFileName, " spawned ", FileName, " — possible macro/exploit execution after template load")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          AlertType, RiskDetail;
RemoteHTTPFetch
| union ForcedAuthSMB
| union (OfficeChildExec | project Timestamp, DeviceName, AccountName,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessId = "", RemoteIP = "", RemotePort = 0,
          RemoteUrl = "", AlertType, RiskDetail)
| sort by Timestamp desc

high severity high confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

Corporate document management systems (SharePoint on-premise, Confluence, custom DMS) that serve legitimate .dotx/.dotm template files to Office clients — add their hostnames/IPs to the exclusion list
Office Click-to-Run (C2R) update and telemetry processes share the same process names and may make external connections — validate against known Microsoft CDN IP ranges
Macro-enabled templates in enterprise environments where business workflows legitimately use remote templates (e.g., HR or finance template servers) — allowlist specific internal template server FQDNs
Branch 3 child process detection will fire on legitimate Office add-ins, COM automation, and scripted Office workflows (e.g., VBA calling WScript for file operations) — baseline expected parent-child pairs per environment
RTF documents produced by legal or financial software platforms that embed legitimate template references to external servers

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
  (
    EventCode=3
    (Image="*\\winword.exe" OR Image="*\\excel.exe" OR Image="*\\powerpnt.exe" OR Image="*\\mspub.exe" OR Image="*\\msaccess.exe" OR Image="*\\visio.exe")
    (DestinationPort=80 OR DestinationPort=443 OR DestinationPort=445 OR DestinationPort=8080 OR DestinationPort=8443)
  )
  OR
  (
    EventCode=1
    (ParentImage="*\\winword.exe" OR ParentImage="*\\excel.exe" OR ParentImage="*\\powerpnt.exe" OR ParentImage="*\\mspub.exe" OR ParentImage="*\\msaccess.exe" OR ParentImage="*\\visio.exe")
    (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe" OR Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe" OR Image="*\\certutil.exe" OR Image="*\\bitsadmin.exe" OR Image="*\\wmic.exe" OR Image="*\\msiexec.exe")
  )
)
| eval EventType=case(
    EventCode=3, "NetworkConnection",
    EventCode=1, "ProcessCreate",
    true(), "Unknown"
  )
| eval IsForcedAuth=if(EventCode=3 AND DestinationPort=="445", 1, 0)
| eval IsRemoteFetch=if(EventCode=3 AND (DestinationPort=="80" OR DestinationPort=="443" OR DestinationPort=="8080" OR DestinationPort=="8443"), 1, 0)
| eval IsChildExec=if(EventCode=1, 1, 0)
| eval MicrosoftInfra=if(EventCode=3 AND (
    match(DestinationHostname, "(?i)(microsoft\.com|office\.com|live\.com|microsoftonline\.com|windows\.net|sharepoint\.com|officecdn\.microsoft\.com|msecnd\.net|azure\.com|bing\.com|msn\.com|skype\.com)")
  ), 1, 0)
| where NOT (IsRemoteFetch=1 AND MicrosoftInfra=1)
| eval AlertType=case(
    IsForcedAuth=1, "ForcedAuthSMB_NTLMCapture",
    IsRemoteFetch=1, "RemoteTemplateFetch",
    IsChildExec=1, "OfficeChildProcess_PostTemplateExec",
    true(), "Unknown"
  )
| eval OfficeProcess=coalesce(Image, ParentImage)
| eval TargetOrChild=coalesce(DestinationHostname, CommandLine)
| eval RiskScore=IsForcedAuth*90 + IsRemoteFetch*60 + IsChildExec*75
| table _time, host, User, EventType, AlertType, OfficeProcess, TargetOrChild,
         DestinationIp, DestinationPort, DestinationHostname,
         CommandLine, ParentImage, ParentCommandLine, RiskScore
| sort - RiskScore, - _time

high severity high confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Sysmon Event ID 3 (Network Connection) Sysmon Event ID 1 (Process Creation)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Corporate document management and template servers on-premises — add their hostnames to the MicrosoftInfra exclusion regex
Office automation workflows that legitimately spawn cmd.exe or wscript.exe via VBA macros for approved business processes — baseline and allowlist by ParentCommandLine pattern
Office Click-to-Run (C2R) servicing and update processes making external connections to CDN infrastructure — validate DestinationHostname against known Microsoft ranges
Third-party Office add-ins that use COM automation causing Office to spawn helper processes — inventory add-ins and build exclusions by ChildProcess+ParentCmdLine tuple
VPN or proxy configurations that route SMB traffic through unusual endpoints — validate DestinationIp against known infrastructure

Elastic Security (EQL)

eql

any where
(
  (
    event.category == "network" and
    event.type == "connection" and
    process.name in~ ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe", "msaccess.exe", "visio.exe") and
    (
      (
        destination.port in (80, 443, 8080, 8443) and
        not destination.domain : (
          "*.microsoft.com", "*.office.com", "*.live.com", "*.microsoftonline.com",
          "*.windows.net", "*.sharepoint.com", "*.officecdn.microsoft.com",
          "*.officecdna.microsoft.com", "*.azure.com", "*.azurefd.net",
          "*.bing.com", "*.msecnd.net", "*.skype.com", "*.trafficmanager.net",
          "*.msftncsi.com"
        )
      )
      or destination.port == 445
    )
  )
  or
  (
    event.category == "process" and
    event.type == "start" and
    process.parent.name in~ (
      "winword.exe", "excel.exe", "powerpnt.exe",
      "mspub.exe", "msaccess.exe", "visio.exe"
    ) and
    process.name in~ (
      "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
      "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
      "bitsadmin.exe", "wmic.exe", "msiexec.exe", "svchost.exe", "conhost.exe"
    )
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security agent Winlogbeat with Sysmon module Filebeat Sysmon module

Required Tables

logs-endpoint.events.network-* logs-endpoint.events.process-* winlogbeat-* .ds-logs-endpoint.events.network-* .ds-logs-endpoint.events.process-*

False Positives

Third-party Office add-ins such as Grammarly, DocuSign, or Adobe Sign that establish outbound HTTP/HTTPS connections from within Office process space during normal document open or interaction — tune by adding verified vendor domains to the destination.domain exclusion list
Corporate document templates legitimately hosted on non-Microsoft external providers such as Box, Dropbox, or on-premises SharePoint with a custom domain — these trigger RemoteTemplateFetch events but are benign; maintain an approved template-hosting domain allowlist and extend the exclusion wildcard set
IT automation and document-processing pipelines (PDF converters, batch reporting tools, legal contract management systems) that drive Office via COM automation and subsequently invoke PowerShell or cmd.exe for file output or post-processing — correlate process.parent.command_line to distinguish scripted automation from interactive user sessions
Security tooling such as EDR sensors or DLP agents that hook into Office processes and generate synthetic network connections or child process events as part of their monitoring instrumentation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  CATEGORYNAME(category) AS EventCategory,
  sourceip,
  destinationip,
  destinationport,
  username,
  "Image" AS OfficeProcess,
  "ParentImage" AS ParentProcess,
  "CommandLine" AS CommandLine,
  "ParentCommandLine" AS ParentCommandLine,
  "DestinationHostname" AS DestinationHostname,
  CASE
    WHEN destinationport = 445
      THEN 'ForcedAuthSMB_NTLMCapture'
    WHEN destinationport IN (80, 443, 8080, 8443)
      THEN 'RemoteTemplateFetch'
    ELSE 'OfficeChildProcess_PostTemplateExec'
  END AS AlertType,
  CASE
    WHEN destinationport = 445 THEN 90
    WHEN destinationport IN (80, 443, 8080, 8443) THEN 60
    ELSE 75
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
  AND (
    (
      QIDNAME(qid) ILIKE '%Network connection%'
      AND "Image" IMATCHES '(?i).*(winword|excel|powerpnt|mspub|msaccess|visio)\.exe'
      AND (
        (
          destinationport IN (80, 443, 8080, 8443)
          AND NOT "DestinationHostname" IMATCHES
            '(?i).*(microsoft\.com|office\.com|live\.com|microsoftonline\.com|windows\.net|sharepoint\.com|officecdn\.microsoft\.com|officecdna\.microsoft\.com|azure\.com|azurefd\.net|bing\.com|msecnd\.net|skype\.com|trafficmanager\.net|msftncsi\.com)'
        )
        OR destinationport = 445
      )
    )
    OR (
      QIDNAME(qid) ILIKE '%Process Create%'
      AND "ParentImage" IMATCHES '(?i).*(winword|excel|powerpnt|mspub|msaccess|visio)\.exe'
      AND "Image" IMATCHES '(?i).*(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|wmic|msiexec)\.exe'
    )
  )
  AND devicetime > NOW() - 86400000
ORDER BY RiskScore DESC, devicetime DESC

high severity medium confidence

Data Sources

QRadar Sysmon DSM Windows Sysmon via WinCollect agent Windows Sysmon via Universal DSM

Required Tables

events

False Positives

Corporate-managed Office templates hosted on external CDNs, partner portals, or internal SharePoint with a non-Microsoft custom domain — the DestinationHostname IMATCHES exclusion must be extended to include all approved internal and partner template-hosting domains to avoid alert fatigue
Office automation scripts used by business intelligence and reporting platforms (SSRS, Crystal Reports, Tableau) that invoke Office COM objects and subsequently spawn PowerShell or CMD processes for data export or format conversion — correlate CommandLine and ParentCommandLine to distinguish automated pipeline invocations from interactive macro execution
Security assessment tooling or endpoint monitoring agents that inject into Office process space and generate synthetic network events or child processes as part of their monitoring hooks — cross-reference against the endpoint asset inventory and known security tool deployment records

Sumo Logic CSE

sql

(_sourceCategory=windows/sysmon OR _sourceCategory=os/windows/sysmon)
| where EventID in ("1", "3")
| where
    (EventID = "3" AND Image matches /(?i).*(winword|excel|powerpnt|mspub|msaccess|visio)\.exe/)
    OR
    (EventID = "1" AND ParentImage matches /(?i).*(winword|excel|powerpnt|mspub|msaccess|visio)\.exe/)
| eval IsForcedAuth = if(EventID = "3" AND DestinationPort = "445", 1, 0)
| eval IsRemoteFetch = if(EventID = "3" AND DestinationPort in ("80","443","8080","8443"), 1, 0)
| eval IsChildExec = if(
    EventID = "1"
    AND matches(Image, "(?i).*(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|wmic|msiexec)\\.exe"),
    1, 0)
| eval IsMicrosoftInfra = if(
    IsRemoteFetch = 1
    AND matches(DestinationHostname,
      "(?i).*(microsoft\\.com|office\\.com|live\\.com|microsoftonline\\.com|windows\\.net|sharepoint\\.com|officecdn\\.microsoft\\.com|officecdna\\.microsoft\\.com|azure\\.com|azurefd\\.net|bing\\.com|msecnd\\.net|skype\\.com|trafficmanager\\.net|msftncsi\\.com)"),
    1, 0)
| where NOT (IsRemoteFetch = 1 AND IsMicrosoftInfra = 1)
| where IsForcedAuth = 1 OR IsRemoteFetch = 1 OR IsChildExec = 1
| eval AlertType = if(IsForcedAuth = 1, "ForcedAuthSMB_NTLMCapture",
    if(IsRemoteFetch = 1, "RemoteTemplateFetch",
      if(IsChildExec = 1, "OfficeChildProcess_PostTemplateExec", "Unknown")))
| eval OfficeProcess = if(EventID = "3", Image, ParentImage)
| eval TargetOrChild = if(EventID = "3", DestinationHostname, Image)
| eval RiskScore = if(IsForcedAuth = 1, 90, if(IsRemoteFetch = 1, 60, 75))
| table _messageTime, Computer, User, EventID, AlertType, OfficeProcess,
    TargetOrChild, DestinationIp, DestinationPort, DestinationHostname,
    CommandLine, ParentImage, ParentCommandLine, RiskScore
| sort by RiskScore desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source Sumo Logic Sysmon collection Sumo Logic Cloud SIEM with Windows normalisation schema

Required Tables

windows/sysmon os/windows/sysmon

False Positives

Third-party Office add-ins (Grammarly, DocuSign, Nuance Dragon, Adobe Sign) that establish outbound HTTP/HTTPS connections from within Office process space during normal document open or editing — extend the IsMicrosoftInfra exclusion filter to include verified vendor domains used by deployed add-ins
Document management and workflow automation platforms (OpenText, Nintex, K2, Laserfiche) that drive Office via COM automation and spawn PowerShell or CMD for document conversion, routing, or archiving tasks — correlate ParentCommandLine to distinguish scripted pipeline invocations from interactive user macro execution
Macro-enabled corporate templates used by finance, legal, or HR teams that legitimately call external REST APIs for data population (e.g. pulling live rates, CRM lookups) — document approved external template source URLs and add to the allowlist; engage business stakeholders to capture the full list before tuning

Google Chronicle / SecOps

yaral

rule t1221_template_injection_detection {
  meta:
    author = "Detection Engineering"
    description = "Detects MITRE ATT&CK T1221 Template Injection via Office remote template HTTP/SMB fetch and LOLBin child process spawning"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1221"
    mitre_attack_technique_id = "T1221"
    reference = "https://attack.mitre.org/techniques/T1221/"
    created = "2026-04-13"
    version = "1.0"

  events:
    (
      (
        // Branch 1 & 2: Office process initiating outbound network connection
        $e.metadata.event_type = "NETWORK_CONNECTION"
        and re.regex(
          $e.principal.process.file.full_path,
          `(?i)(winword|excel|powerpnt|mspub|msaccess|visio)\.exe$`
        )
        and (
          (
            // Branch 1: Remote template HTTP/HTTPS fetch to non-Microsoft host
            (
              $e.target.port = 80 or
              $e.target.port = 443 or
              $e.target.port = 8080 or
              $e.target.port = 8443
            )
            and not re.regex(
              $e.target.hostname,
              `(?i)(microsoft\.com|office\.com|live\.com|microsoftonline\.com|windows\.net|sharepoint\.com|officecdn\.microsoft\.com|officecdna\.microsoft\.com|azure\.com|azurefd\.net|bing\.com|msecnd\.net|skype\.com|trafficmanager\.net|msftncsi\.com)`
            )
          )
          or
          // Branch 2: Forced NTLM auth via SMB UNC path template reference
          $e.target.port = 445
        )
      )
      or
      (
        // Branch 3: Office process spawning LOLBin child — post-template payload execution
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex(
          $e.principal.process.file.full_path,
          `(?i)(winword|excel|powerpnt|mspub|msaccess|visio)\.exe$`
        )
        and re.regex(
          $e.target.process.file.full_path,
          `(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|wmic|msiexec|svchost|conhost)\.exe$`
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM via Windows Event Log forwarder Sysmon events via Chronicle Ingestion API Elastic Forwarder to Chronicle Google Chronicle SIEM with Windows normalisation parser

Required Tables

UDM Events — NETWORK_CONNECTION UDM Events — PROCESS_LAUNCH

False Positives

Legitimate corporate document templates hosted on external cloud storage providers or partner portals (Box, Dropbox, vendor extranets) where the template URL references a non-Microsoft host — maintain a Chronicle reference list of approved external template hosting domains and extend the not re.regex exclusion to match against it
Enterprise Office add-ins deployed via centralised policy that call vendor licensing, telemetry, or content endpoints over HTTP/HTTPS from within Office process context — these appear identical to remote template fetch NETWORK_CONNECTION events in UDM; cross-reference the add-in inventory against flagged destination hostnames
Automated document processing workflows (legal contract management, insurance form ingestion, financial report generation) where Office is driven via COM automation and spawns PowerShell or CMD for file output or format conversion — distinguish using principal.process.command_line to identify non-interactive invocations

CrowdStrike LogScale (CQL)

cql

// T1221 Template Injection — Office Remote Template Fetch, Forced NTLM Auth, Child Process
#event_simpleName in ["NetworkConnectIP4", "ProcessRollup2"]
| case {
    // Branch 2: Forced NTLM authentication via SMB port 445
    #event_simpleName = "NetworkConnectIP4"
    AND ImageFileName = /(?i)(winword|excel|powerpnt|mspub|msaccess|visio)\.exe/
    AND RemotePort = 445
    | AlertType := "ForcedAuthSMB_NTLMCapture"
    | RiskScore := 90;

    // Branch 1: Remote template fetch via HTTP/HTTPS to non-Microsoft host
    #event_simpleName = "NetworkConnectIP4"
    AND ImageFileName = /(?i)(winword|excel|powerpnt|mspub|msaccess|visio)\.exe/
    AND RemotePort in [80, 443, 8080, 8443]
    AND NOT DomainName = /(?i)(microsoft\.com|office\.com|live\.com|microsoftonline\.com|windows\.net|sharepoint\.com|officecdn\.microsoft\.com|officecdna\.microsoft\.com|azure\.com|azurefd\.net|bing\.com|msecnd\.net|skype\.com|trafficmanager\.net|msftncsi\.com)/
    | AlertType := "RemoteTemplateFetch"
    | RiskScore := 60;

    // Branch 3: Office child process spawning — post-template payload execution
    #event_simpleName = "ProcessRollup2"
    AND ParentBaseFileName = /(?i)(winword|excel|powerpnt|mspub|msaccess|visio)\.exe/
    AND FileName = /(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|wmic|msiexec)\.exe/
    | AlertType := "OfficeChildProcess_PostTemplateExec"
    | RiskScore := 75;

    * | drop();
  }
| table(
    [@timestamp, ComputerName, UserName,
     FileName, CommandLine,
     ParentBaseFileName, ParentCommandLine,
     RemoteAddressIP4, RemotePort, DomainName,
     AlertType, RiskScore],
    limit=1000
  )
| sort(RiskScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor Falcon Data Replicator (FDR) CrowdStrike Event Stream API CrowdStrike Falcon LogScale SIEM

Required Tables

NetworkConnectIP4 ProcessRollup2

False Positives

Office templates legitimately fetched from internal corporate servers or approved non-Microsoft CDN providers not covered by the DomainName exclusion regex — extend the NOT DomainName regex to include all known internal template-hosting domains and approved partner CDN hostnames
Software deployment tooling or patch management systems (SCCM, PDQ, Ansible) that use Office COM automation and spawn PowerShell or CMD as part of document generation, conversion, or reporting workflows — cross-reference CommandLine and ParentCommandLine against known deployment job signatures to distinguish scripted automation from interactive user activity
Browser-integrated Office experiences (Office Online editing plugins, Outlook add-ins, SharePoint co-authoring) that route network connections through the Office process to external services — validate flagged DomainName values against the deployed add-in and integration inventory before escalating to an incident

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1221 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Template Injection

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections