Detect Phishing Document Macro Execution and Initial Access in Google Chronicle
Despite Microsoft's macro-blocking default settings (Block macros from the internet in Office 2016+, enabled by default since 2022), phishing document macro execution continues to be a primary initial access vector for SMBs. Attackers have adapted: moving to ISO/IMG file containers that strip the Mark-of-the-Web (MOTW) flag, using template injection attacks (DOTM/XLTM), abusing OneNote .one files (dropped in 2023 but resurfaced with .onepkg), and targeting users who have manually disabled macro blocking via Group Policy misconfiguration or social engineering ('Enable content to view this document'). QakBot successors (Pikabot, DarkGate), TA577, and Lazarus Group are documented using this technique against UK SMBs. NCSC 2025 advisory noted macro-based attacks persist in 40% of SMB ransomware intrusions due to inadequate macro restrictions.
MITRE ATT&CK
- Tactic
- Initial Access Execution
YARA-L Detection Query
rule phishing_macro_office_suspicious_child_process {
meta:
author = "df00tech Detection Engineering"
description = "Detects Office applications spawning LOLBins or script interpreters, indicative of macro-based phishing initial access. Covers Pikabot, DarkGate, TA577, and Lazarus Group TTPs. NCSC 2025: macro-based delivery in 40% of UK SMB ransomware intrusions."
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "T1566.001"
mitre_attack_subtechnique = "T1566.001"
reference = "https://attack.mitre.org/techniques/T1566/001/"
created = "2025-04-25"
version = "1.0"
events:
$proc.metadata.event_type = "PROCESS_LAUNCH"
$proc.principal.process.file.full_path = /(?i)(winword|excel|powerpnt|outlook|onenote|msaccess|mspub)\.exe$/
$proc.target.process.file.full_path = /(?i)(cmd|powershell|pwsh|mshta|wscript|cscript|regsvr32|rundll32|certutil|bitsadmin|wmic|msiexec|curl|wget|schtasks)\.exe$/
$proc.principal.hostname = $hostname
$proc.principal.user.userid = $user
condition:
$proc
}
rule phishing_macro_iso_container_delivery {
meta:
author = "df00tech Detection Engineering"
description = "Detects ISO/IMG/VHD container file creation followed within 30 minutes by an Office application spawning a suspicious child process, indicating MOTW-bypass phishing delivery chain."
severity = "CRITICAL"
priority = "HIGH"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "T1566.001"
created = "2025-04-25"
version = "1.0"
events:
$file.metadata.event_type = "FILE_CREATION"
$file.target.file.full_path = /(?i)\.(iso|img|vhd|vhdx)$/
$file.principal.hostname = $hostname
$file.principal.user.userid = $user
$proc.metadata.event_type = "PROCESS_LAUNCH"
$proc.principal.process.file.full_path = /(?i)(winword|excel|powerpnt|outlook|onenote|msaccess|mspub)\.exe$/
$proc.target.process.file.full_path = /(?i)(cmd|powershell|pwsh|mshta|wscript|cscript|regsvr32|rundll32|certutil|bitsadmin|wmic|msiexec)\.exe$/
$proc.principal.hostname = $hostname
$proc.principal.user.userid = $user
match:
$hostname, $user over 30m
condition:
$file and $proc
}Two Chronicle YARA-L 2.0 rules for phishing macro initial access detection. Rule 1 (phishing_macro_office_suspicious_child_process) triggers on any Office application spawning a LOLBin or script interpreter using UDM PROCESS_LAUNCH events. Rule 2 (phishing_macro_iso_container_delivery) uses a temporal correlation over 30 minutes to detect ISO/IMG container file drops followed by Office-spawned suspicious processes, capturing the MOTW-bypass delivery chain used by Pikabot and DarkGate. Both rules use UDM principal/target field model.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate macro-enabled workbooks used by finance teams that invoke PowerShell or cmd.exe for automated report delivery — add an exception list in Chronicle using a reference list of approved automation user accounts bound to specific Office processes
- ISO/IMG files downloaded by IT admins for OS provisioning followed by running Excel-based inventory tools — the 30-minute correlation window will catch this pattern; tune by excluding known IT admin hostnames or adding a NOT condition on the file path matching known ISO repo directories
- Security tooling that uses Office document generation (e.g., SIEM report exports via Word COM) and may invoke cmd.exe for file operations — review target.process.command_line in alerts; legitimate tooling will have predictable, non-obfuscated arguments
Other platforms for THREAT-InitialAccess-PhishingMacro
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Office Macro Child Process Simulation (Excel)
Expected signal: Sysmon Event ID 1: Excel.exe spawning cmd.exe. Parent process chain: explorer.exe > excel.exe > cmd.exe.
References (6)
- https://www.ncsc.gov.uk/guidance/phishing
- https://www.microsoft.com/en-us/security/blog/2022/02/07/macro-based-delivery-of-qakbot/
- https://attack.mitre.org/techniques/T1566/001/
- https://attack.mitre.org/techniques/T1059/005/
- https://github.com/decalage2/oletools
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference
Unlock Pro Content
Get the full detection package for THREAT-InitialAccess-PhishingMacro including response playbook, investigation guide, and atomic red team tests.