THREAT-InitialAccess-PhishingMacro Elastic Security · Elastic

Detect Phishing Document Macro Execution and Initial Access in Elastic Security

Despite Microsoft's macro-blocking default settings (Block macros from the internet in Office 2016+, enabled by default since 2022), phishing document macro execution continues to be a primary initial access vector for SMBs. Attackers have adapted: moving to ISO/IMG file containers that strip the Mark-of-the-Web (MOTW) flag, using template injection attacks (DOTM/XLTM), abusing OneNote .one files (dropped in 2023 but resurfaced with .onepkg), and targeting users who have manually disabled macro blocking via Group Policy misconfiguration or social engineering ('Enable content to view this document'). QakBot successors (Pikabot, DarkGate), TA577, and Lazarus Group are documented using this technique against UK SMBs. NCSC 2025 advisory noted macro-based attacks persist in 40% of SMB ransomware intrusions due to inadequate macro restrictions.

MITRE ATT&CK

Tactic
Initial Access Execution

Elastic Detection Query

Elastic Security (Elastic)
eql 
/* Alert 1: Office application spawning suspicious child process (macro-based initial access) */
process where event.type == "start" and
  process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "msaccess.exe", "mspub.exe") and
  process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe", "curl.exe", "wget.exe", "schtasks.exe")

/* Alert 2: ISO/IMG container mount followed by Office macro execution within 30 minutes */
/* Run as a separate EQL sequence query */
/* sequence by host.name, user.name with maxspan=30m
  [file where event.action == "creation" and
    (file.extension : "iso" or file.extension : "img" or file.extension : "vhd")]
  [process where event.type == "start" and
    process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "msaccess.exe", "mspub.exe") and
    process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe")]
*/
high severity high confidence

Detects phishing macro initial access via Office applications spawning LOLBins or script interpreters. Covers both direct macro execution and ISO/IMG container delivery that bypasses Mark-of-the-Web. Targets QakBot successor (Pikabot, DarkGate), TA577, and Lazarus Group TTPs documented in NCSC 2025 advisory. Uses ECS process.parent.name and process.name fields from Elastic Endpoint or Winlogbeat with Sysmon.

Data Sources

Elastic Endpoint SecurityWinlogbeat with Sysmon (Event ID 1)Elastic Agent (system integration)

Required Tables

logs-endpoint.events.process-*logs-system.security-*winlogbeat-*

False Positives & Tuning

  • Legitimate IT automation using Excel/Word COM objects that spawn cmd.exe or PowerShell for scheduled data refresh or ETL pipelines — whitelist by specific CommandLine hash or parent process path in known automation service accounts
  • Corporate-approved macro-enabled templates in finance or HR departments that use certutil.exe for certificate operations or schtasks.exe for report scheduling — tune by adding user group or host exclusions for known automation endpoints
  • Developer environments with VSTO add-ins or Office automation test harnesses that legitimately spawn PowerShell for build/test tasks — exclude by host name prefix (e.g., DEV-* or BUILD-*) in the query filter
Download portable Sigma rule (.yml)

Other platforms for THREAT-InitialAccess-PhishingMacro

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Office Macro Child Process Simulation (Excel)

    Expected signal: Sysmon Event ID 1: Excel.exe spawning cmd.exe. Parent process chain: explorer.exe > excel.exe > cmd.exe.

Last updated: 2026-04-25 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for THREAT-InitialAccess-PhishingMacro including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1566.001Spearphishing Attachment

Related Techniques

T1566.001Spearphishing AttachmentT1059.005Visual BasicT1204.002Malicious FileT1027.006HTML SmugglingT1553.005Mark-of-the-Web BypassT1547.001Registry Run Keys / Startup Folder

Same Tactic: Initial Access

Popular Detections