THREAT-InitialAccess-PhishingMacro

Phishing Document Macro Execution and Initial Access

Despite Microsoft's macro-blocking default settings (Block macros from the internet in Office 2016+, enabled by default since 2022), phishing document macro execution continues to be a primary initial access vector for SMBs. Attackers have adapted: moving to ISO/IMG file containers that strip the Mark-of-the-Web (MOTW) flag, using template injection attacks (DOTM/XLTM), abusing OneNote .one files (dropped in 2023 but resurfaced with .onepkg), and targeting users who have manually disabled macro blocking via Group Policy misconfiguration or social engineering ('Enable content to view this document'). QakBot successors (Pikabot, DarkGate), TA577, and Lazarus Group are documented using this technique against UK SMBs. NCSC 2025 advisory noted macro-based attacks persist in 40% of SMB ransomware intrusions due to inadequate macro restrictions.

Microsoft Sentinel / Defender

kusto

// THREAT: Phishing Macro Initial Access Detection
// Detects malicious macro execution via suspicious child processes
// from Office applications and document-related processes

let OfficeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe",
    "outlook.exe", "onenote.exe", "msaccess.exe", "mspub.exe"]);
let SuspiciousChildren = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe",
    "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe",
    "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe",
    "curl.exe", "wget.exe", "schtasks.exe", "taskschd.msc"
]);
let HighRiskApps = dynamic(["wscript.exe", "cscript.exe", "mshta.exe",
    "regsvr32.exe", "certutil.exe", "bitsadmin.exe"]);
// Alert 1: Office app spawning suspicious child process
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (OfficeApps)
| where FileName in~ (SuspiciousChildren)
| extend HighRisk = FileName in~ (HighRiskApps)
| extend RiskScore = iff(HighRisk, 90, 75)
| project Timestamp, DeviceName, AccountName,
    FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    RiskScore
| extend ThreatType = "Macro_SuspiciousChildProcess";
// Alert 2: ISO/IMG container mounting followed by Office doc execution
let MountEvents = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".iso" or FileName endswith ".img" or FileName endswith ".vhd"
| where ActionType =~ "FileCreated"
| project MountTime=Timestamp, DeviceName, MountedFile=FileName, AccountName;
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (OfficeApps)
| where FileName in~ (SuspiciousChildren)
| join kind=inner MountEvents on DeviceName, AccountName
| where datetime_diff('minute', Timestamp, MountTime) between (0 .. 30)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, MountedFile
| extend ThreatType = "Macro_ISOContainer_Execution"

high severity high confidence

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceFileEvents) Sysmon Event ID 1, 11 Microsoft 365 Defender

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate Office macros that invoke cmd.exe for file management operations (e.g., print macros, export scripts)
Developers testing Office automation or VBA scripts who invoke PowerShell from Excel or Word
IT management scripts embedded in Office templates that run system commands (should be replaced with modern automation)
Legitimate ISO file usage for software installation followed by document viewing on the same day

Elastic Security (EQL)

eql

/* Alert 1: Office application spawning suspicious child process (macro-based initial access) */
process where event.type == "start" and
  process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "msaccess.exe", "mspub.exe") and
  process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe", "curl.exe", "wget.exe", "schtasks.exe")

/* Alert 2: ISO/IMG container mount followed by Office macro execution within 30 minutes */
/* Run as a separate EQL sequence query */
/* sequence by host.name, user.name with maxspan=30m
  [file where event.action == "creation" and
    (file.extension : "iso" or file.extension : "img" or file.extension : "vhd")]
  [process where event.type == "start" and
    process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "msaccess.exe", "mspub.exe") and
    process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe")]
*/

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon (Event ID 1) Elastic Agent (system integration)

Required Tables

logs-endpoint.events.process-* logs-system.security-* winlogbeat-*

False Positives

Legitimate IT automation using Excel/Word COM objects that spawn cmd.exe or PowerShell for scheduled data refresh or ETL pipelines — whitelist by specific CommandLine hash or parent process path in known automation service accounts
Corporate-approved macro-enabled templates in finance or HR departments that use certutil.exe for certificate operations or schtasks.exe for report scheduling — tune by adding user group or host exclusions for known automation endpoints
Developer environments with VSTO add-ins or Office automation test harnesses that legitimately spawn PowerShell for build/test tasks — exclude by host name prefix (e.g., DEV-* or BUILD-*) in the query filter

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS EventName,
  LOGSOURCENAME(logsourceid) AS LogSource,
  "ParentProcessPath" AS ParentProcess,
  "ProcessPath" AS ChildProcess,
  "CommandLine" AS CommandLine,
  CASE
    WHEN "ProcessPath" ILIKE '%\\mshta.exe'
      OR "ProcessPath" ILIKE '%\\cscript.exe'
      OR "ProcessPath" ILIKE '%\\wscript.exe'
      OR "ProcessPath" ILIKE '%\\regsvr32.exe'
      OR "ProcessPath" ILIKE '%\\certutil.exe'
      OR "ProcessPath" ILIKE '%\\bitsadmin.exe'
    THEN 90
    ELSE 75
  END AS RiskScore,
  CASE
    WHEN "ProcessPath" ILIKE '%\\mshta.exe'
      OR "ProcessPath" ILIKE '%\\cscript.exe'
      OR "ProcessPath" ILIKE '%\\wscript.exe'
      OR "ProcessPath" ILIKE '%\\regsvr32.exe'
      OR "ProcessPath" ILIKE '%\\certutil.exe'
      OR "ProcessPath" ILIKE '%\\bitsadmin.exe'
    THEN 'HIGH'
    ELSE 'MEDIUM'
  END AS Severity
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND eventid = 1
  AND (
    "ParentProcessPath" ILIKE '%\\winword.exe'
    OR "ParentProcessPath" ILIKE '%\\excel.exe'
    OR "ParentProcessPath" ILIKE '%\\powerpnt.exe'
    OR "ParentProcessPath" ILIKE '%\\outlook.exe'
    OR "ParentProcessPath" ILIKE '%\\onenote.exe'
    OR "ParentProcessPath" ILIKE '%\\mspub.exe'
    OR "ParentProcessPath" ILIKE '%\\msaccess.exe'
  )
  AND (
    "ProcessPath" ILIKE '%\\cmd.exe'
    OR "ProcessPath" ILIKE '%\\powershell.exe'
    OR "ProcessPath" ILIKE '%\\pwsh.exe'
    OR "ProcessPath" ILIKE '%\\mshta.exe'
    OR "ProcessPath" ILIKE '%\\wscript.exe'
    OR "ProcessPath" ILIKE '%\\cscript.exe'
    OR "ProcessPath" ILIKE '%\\regsvr32.exe'
    OR "ProcessPath" ILIKE '%\\rundll32.exe'
    OR "ProcessPath" ILIKE '%\\certutil.exe'
    OR "ProcessPath" ILIKE '%\\bitsadmin.exe'
    OR "ProcessPath" ILIKE '%\\wmic.exe'
    OR "ProcessPath" ILIKE '%\\msiexec.exe'
    OR "ProcessPath" ILIKE '%\\curl.exe'
    OR "ProcessPath" ILIKE '%\\schtasks.exe'
  )
LAST 24 HOURS
ORDER BY RiskScore DESC, starttime DESC

high severity high confidence

Data Sources

IBM QRadar SIEM Microsoft Sysmon via Windows Event Log (Event ID 1) QRadar DSM with custom Sysmon property extraction

Required Tables

events

False Positives

Automated report generation workflows using Excel with macros that call cmd.exe or PowerShell to execute batch file post-processing — create a QRadar building block to exclude known service account usernames (e.g., SVC_REPORTS) from this rule
Software deployment tools (PDQ Deploy, SCCM) that open Office documents during package installation and may spawn cmd.exe — exclude by source IP ranges of deployment servers in the WHERE clause
Third-party Office add-ins (e.g., DocuSign, Adobe, Salesforce for Outlook) that use embedded scripts or helper executables — review CommandLine values and whitelist specific signed binaries with known-good argument patterns

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint* OR _sourceCategory=*wineventlog*)
| where EventID = "1" OR event_id = "1"
| parse field=ParentImage "*\\*" as _parentDir, ParentProcessName nodrop
| parse field=Image "*\\*" as _procDir, ProcessName nodrop
| where ParentProcessName in ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "mspub.exe", "msaccess.exe")
| where ProcessName in ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe", "curl.exe", "wget.exe", "schtasks.exe")
| eval HighRisk = if (ProcessName in ("mshta.exe", "cscript.exe", "wscript.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe"), "YES", "NO")
| eval RiskScore = if (HighRisk = "YES", 90, 75)
| eval ThreatActors = "QakBot successor (Pikabot/DarkGate), TA577, Lazarus Group"
| eval ThreatType = "Macro_SuspiciousChildProcess"
| fields _sourceHost, User, ParentProcessName, ProcessName, CommandLine, RiskScore, HighRisk, ThreatType, ThreatActors
| count by _sourceHost, User, ParentProcessName, ProcessName, HighRisk, RiskScore, ThreatType
| sort - RiskScore

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon Event ID 1 (Process Create) via Sumo Installed Collector Windows Event Log collector with Sysmon operational channel

Required Tables

Sysmon Process Create events (EventID 1) ingested under appropriate _sourceCategory

False Positives

Finance department Excel dashboards with approved macros that invoke PowerShell scripts for data pull from internal APIs — add a Sumo Logic allowlist lookup table of approved automation host/user pairs and join against it to suppress known-good events
IT support workflows that use Outlook rules to trigger cmd.exe-based scripts for ticket creation or alert forwarding — investigate the CommandLine field; legitimate automation will have static, recognisable argument patterns rather than obfuscated or download-oriented commands
Legacy line-of-business applications using Word or Excel automation that call regsvr32.exe to register COM components during startup — correlate with software deployment windows and suppress events within change-freeze windows where deployment activity is expected

Google Chronicle / SecOps

yaral

rule phishing_macro_office_suspicious_child_process {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects Office applications spawning LOLBins or script interpreters, indicative of macro-based phishing initial access. Covers Pikabot, DarkGate, TA577, and Lazarus Group TTPs. NCSC 2025: macro-based delivery in 40% of UK SMB ransomware intrusions."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1566.001"
    mitre_attack_subtechnique = "T1566.001"
    reference = "https://attack.mitre.org/techniques/T1566/001/"
    created = "2025-04-25"
    version = "1.0"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.process.file.full_path = /(?i)(winword|excel|powerpnt|outlook|onenote|msaccess|mspub)\.exe$/
    $proc.target.process.file.full_path = /(?i)(cmd|powershell|pwsh|mshta|wscript|cscript|regsvr32|rundll32|certutil|bitsadmin|wmic|msiexec|curl|wget|schtasks)\.exe$/
    $proc.principal.hostname = $hostname
    $proc.principal.user.userid = $user

  condition:
    $proc
}

rule phishing_macro_iso_container_delivery {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects ISO/IMG/VHD container file creation followed within 30 minutes by an Office application spawning a suspicious child process, indicating MOTW-bypass phishing delivery chain."
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1566.001"
    created = "2025-04-25"
    version = "1.0"

  events:
    $file.metadata.event_type = "FILE_CREATION"
    $file.target.file.full_path = /(?i)\.(iso|img|vhd|vhdx)$/
    $file.principal.hostname = $hostname
    $file.principal.user.userid = $user

    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.process.file.full_path = /(?i)(winword|excel|powerpnt|outlook|onenote|msaccess|mspub)\.exe$/
    $proc.target.process.file.full_path = /(?i)(cmd|powershell|pwsh|mshta|wscript|cscript|regsvr32|rundll32|certutil|bitsadmin|wmic|msiexec)\.exe$/
    $proc.principal.hostname = $hostname
    $proc.principal.user.userid = $user

  match:
    $hostname, $user over 30m

  condition:
    $file and $proc
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows endpoint telemetry via Chronicle forwarder or third-party ingestion (CrowdStrike, Carbon Black, SentinelOne)

Required Tables

UDM PROCESS_LAUNCH events UDM FILE_CREATION events

False Positives

Legitimate macro-enabled workbooks used by finance teams that invoke PowerShell or cmd.exe for automated report delivery — add an exception list in Chronicle using a reference list of approved automation user accounts bound to specific Office processes
ISO/IMG files downloaded by IT admins for OS provisioning followed by running Excel-based inventory tools — the 30-minute correlation window will catch this pattern; tune by excluding known IT admin hostnames or adding a NOT condition on the file path matching known ISO repo directories
Security tooling that uses Office document generation (e.g., SIEM report exports via Word COM) and may invoke cmd.exe for file operations — review target.process.command_line in alerts; legitimate tooling will have predictable, non-obfuscated arguments

CrowdStrike LogScale (CQL)

cql

// Alert 1: Office application spawning suspicious child process (macro execution)
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|onenote|msaccess|mspub)\.exe$/
| FileName = /(?i)^(cmd|powershell|pwsh|mshta|wscript|cscript|regsvr32|rundll32|certutil|bitsadmin|wmic|msiexec|curl|wget|schtasks)\.exe$/
| HighRisk := if(FileName =~ /(?i)^(mshta|cscript|wscript|regsvr32|certutil|bitsadmin)\.exe$/, "YES", "NO")
| RiskScore := if(HighRisk = "YES", 90, 75)
| ThreatType := "Macro_SuspiciousChildProcess"
| ThreatActors := "Pikabot, DarkGate, TA577, Lazarus Group"
| groupBy(
    [ComputerName, UserName, ParentBaseFileName, FileName, HighRisk, RiskScore, ThreatType],
    function=[
      count(as=EventCount),
      values(CommandLine, as=CommandLines),
      values(TargetProcessId, as=ChildPIDs),
      max(RiskScore, as=MaxRisk)
    ]
  )
| sort(MaxRisk, order=desc)

// Alert 2 (run separately): ISO/VHD file write followed by Office macro execution
// #event_simpleName=/(ProcessRollup2|NewScriptWritten|PeFileWritten)/
// | join(
//   {#event_simpleName=/(AsepValueUpdate|PeFileWritten|NewScriptWritten)/
//    | FileName =~ /(?i)\.(iso|img|vhd|vhdx)$/
//    | groupBy([ComputerName, UserName], function=collect([FileName], as=ContainerFiles))},
//   field=[ComputerName, UserName], mode=inner
// )
// | ParentBaseFileName =~ /(?i)^(winword|excel|powerpnt|outlook|onenote|mspub)\.exe$/
// | FileName =~ /(?i)^(cmd|powershell|mshta|wscript|cscript|regsvr32|rundll32|certutil)\.exe$/

high severity high confidence

Data Sources

CrowdStrike Falcon Platform (EDR) CrowdStrike LogScale (Humio) Falcon ProcessRollup2 telemetry

Required Tables

ProcessRollup2 events (Falcon EDR process telemetry)

False Positives

Automated Excel-based reporting tools used by operations teams that spawn PowerShell for data aggregation — create a LogScale saved search exclusion using a lookup table of approved service account UserName values paired with known-good CommandLine prefixes
Managed software deployment via Microsoft SCCM or Intune that temporarily spawns Office processes during package installation and may call msiexec.exe or cmd.exe — correlate RiskScore=75 alerts against your change management window schedule and suppress during maintenance periods
Security awareness training platforms (e.g., KnowBe4, Proofpoint Security Awareness) that deliver simulated phishing documents which may execute macro payloads in sandboxed or monitored environments — exclude by hostname suffix or OU membership if your training uses dedicated test endpoints

Last updated: 2026-04-25 Research depth: deep

References (6)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for THREAT-InitialAccess-PhishingMacro including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Phishing Document Macro Execution and Initial Access

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Initial Access

Popular Detections