THREAT-InitialAccess-PhishingMacro CrowdStrike LogScale · LogScale

Detect Phishing Document Macro Execution and Initial Access in CrowdStrike LogScale

Despite Microsoft's macro-blocking default settings (Block macros from the internet in Office 2016+, enabled by default since 2022), phishing document macro execution continues to be a primary initial access vector for SMBs. Attackers have adapted: moving to ISO/IMG file containers that strip the Mark-of-the-Web (MOTW) flag, using template injection attacks (DOTM/XLTM), abusing OneNote .one files (dropped in 2023 but resurfaced with .onepkg), and targeting users who have manually disabled macro blocking via Group Policy misconfiguration or social engineering ('Enable content to view this document'). QakBot successors (Pikabot, DarkGate), TA577, and Lazarus Group are documented using this technique against UK SMBs. NCSC 2025 advisory noted macro-based attacks persist in 40% of SMB ransomware intrusions due to inadequate macro restrictions.

MITRE ATT&CK

Tactic
Initial Access Execution

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Alert 1: Office application spawning suspicious child process (macro execution)
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|onenote|msaccess|mspub)\.exe$/
| FileName = /(?i)^(cmd|powershell|pwsh|mshta|wscript|cscript|regsvr32|rundll32|certutil|bitsadmin|wmic|msiexec|curl|wget|schtasks)\.exe$/
| HighRisk := if(FileName =~ /(?i)^(mshta|cscript|wscript|regsvr32|certutil|bitsadmin)\.exe$/, "YES", "NO")
| RiskScore := if(HighRisk = "YES", 90, 75)
| ThreatType := "Macro_SuspiciousChildProcess"
| ThreatActors := "Pikabot, DarkGate, TA577, Lazarus Group"
| groupBy(
    [ComputerName, UserName, ParentBaseFileName, FileName, HighRisk, RiskScore, ThreatType],
    function=[
      count(as=EventCount),
      values(CommandLine, as=CommandLines),
      values(TargetProcessId, as=ChildPIDs),
      max(RiskScore, as=MaxRisk)
    ]
  )
| sort(MaxRisk, order=desc)

// Alert 2 (run separately): ISO/VHD file write followed by Office macro execution
// #event_simpleName=/(ProcessRollup2|NewScriptWritten|PeFileWritten)/
// | join(
//   {#event_simpleName=/(AsepValueUpdate|PeFileWritten|NewScriptWritten)/
//    | FileName =~ /(?i)\.(iso|img|vhd|vhdx)$/
//    | groupBy([ComputerName, UserName], function=collect([FileName], as=ContainerFiles))},
//   field=[ComputerName, UserName], mode=inner
// )
// | ParentBaseFileName =~ /(?i)^(winword|excel|powerpnt|outlook|onenote|mspub)\.exe$/
// | FileName =~ /(?i)^(cmd|powershell|mshta|wscript|cscript|regsvr32|rundll32|certutil)\.exe$/
high severity high confidence

CrowdStrike LogScale (Falcon NG-SIEM) CQL query detecting Office applications spawning LOLBins or script interpreters using ProcessRollup2 Falcon telemetry events. Applies regex matching on ParentBaseFileName and FileName fields (Falcon normalised process names without path). Assigns risk scores and groups by host/user/process combination to aggregate repeated execution attempts. Covers Pikabot, DarkGate, TA577, and Lazarus Group initial access patterns. A commented-out second query sketches ISO container correlation using file write events; adapt to your Falcon sensor data availability.

Data Sources

CrowdStrike Falcon Platform (EDR)CrowdStrike LogScale (Humio)Falcon ProcessRollup2 telemetry

Required Tables

ProcessRollup2 events (Falcon EDR process telemetry)

False Positives & Tuning

  • Automated Excel-based reporting tools used by operations teams that spawn PowerShell for data aggregation — create a LogScale saved search exclusion using a lookup table of approved service account UserName values paired with known-good CommandLine prefixes
  • Managed software deployment via Microsoft SCCM or Intune that temporarily spawns Office processes during package installation and may call msiexec.exe or cmd.exe — correlate RiskScore=75 alerts against your change management window schedule and suppress during maintenance periods
  • Security awareness training platforms (e.g., KnowBe4, Proofpoint Security Awareness) that deliver simulated phishing documents which may execute macro payloads in sandboxed or monitored environments — exclude by hostname suffix or OU membership if your training uses dedicated test endpoints
Download portable Sigma rule (.yml)

Other platforms for THREAT-InitialAccess-PhishingMacro

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Office Macro Child Process Simulation (Excel)

    Expected signal: Sysmon Event ID 1: Excel.exe spawning cmd.exe. Parent process chain: explorer.exe > excel.exe > cmd.exe.

Last updated: 2026-04-25 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for THREAT-InitialAccess-PhishingMacro including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1566.001Spearphishing Attachment

Related Techniques

T1566.001Spearphishing AttachmentT1059.005Visual BasicT1204.002Malicious FileT1027.006HTML SmugglingT1553.005Mark-of-the-Web BypassT1547.001Registry Run Keys / Startup Folder

Same Tactic: Initial Access

Popular Detections