THREAT-InitialAccess-PhishingMacro IBM QRadar · QRadar

Detect Phishing Document Macro Execution and Initial Access in IBM QRadar

Despite Microsoft's macro-blocking default settings (Block macros from the internet in Office 2016+, enabled by default since 2022), phishing document macro execution continues to be a primary initial access vector for SMBs. Attackers have adapted: moving to ISO/IMG file containers that strip the Mark-of-the-Web (MOTW) flag, using template injection attacks (DOTM/XLTM), abusing OneNote .one files (dropped in 2023 but resurfaced with .onepkg), and targeting users who have manually disabled macro blocking via Group Policy misconfiguration or social engineering ('Enable content to view this document'). QakBot successors (Pikabot, DarkGate), TA577, and Lazarus Group are documented using this technique against UK SMBs. NCSC 2025 advisory noted macro-based attacks persist in 40% of SMB ransomware intrusions due to inadequate macro restrictions.

MITRE ATT&CK

Tactic
Initial Access Execution

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS EventName,
  LOGSOURCENAME(logsourceid) AS LogSource,
  "ParentProcessPath" AS ParentProcess,
  "ProcessPath" AS ChildProcess,
  "CommandLine" AS CommandLine,
  CASE
    WHEN "ProcessPath" ILIKE '%\\mshta.exe'
      OR "ProcessPath" ILIKE '%\\cscript.exe'
      OR "ProcessPath" ILIKE '%\\wscript.exe'
      OR "ProcessPath" ILIKE '%\\regsvr32.exe'
      OR "ProcessPath" ILIKE '%\\certutil.exe'
      OR "ProcessPath" ILIKE '%\\bitsadmin.exe'
    THEN 90
    ELSE 75
  END AS RiskScore,
  CASE
    WHEN "ProcessPath" ILIKE '%\\mshta.exe'
      OR "ProcessPath" ILIKE '%\\cscript.exe'
      OR "ProcessPath" ILIKE '%\\wscript.exe'
      OR "ProcessPath" ILIKE '%\\regsvr32.exe'
      OR "ProcessPath" ILIKE '%\\certutil.exe'
      OR "ProcessPath" ILIKE '%\\bitsadmin.exe'
    THEN 'HIGH'
    ELSE 'MEDIUM'
  END AS Severity
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND eventid = 1
  AND (
    "ParentProcessPath" ILIKE '%\\winword.exe'
    OR "ParentProcessPath" ILIKE '%\\excel.exe'
    OR "ParentProcessPath" ILIKE '%\\powerpnt.exe'
    OR "ParentProcessPath" ILIKE '%\\outlook.exe'
    OR "ParentProcessPath" ILIKE '%\\onenote.exe'
    OR "ParentProcessPath" ILIKE '%\\mspub.exe'
    OR "ParentProcessPath" ILIKE '%\\msaccess.exe'
  )
  AND (
    "ProcessPath" ILIKE '%\\cmd.exe'
    OR "ProcessPath" ILIKE '%\\powershell.exe'
    OR "ProcessPath" ILIKE '%\\pwsh.exe'
    OR "ProcessPath" ILIKE '%\\mshta.exe'
    OR "ProcessPath" ILIKE '%\\wscript.exe'
    OR "ProcessPath" ILIKE '%\\cscript.exe'
    OR "ProcessPath" ILIKE '%\\regsvr32.exe'
    OR "ProcessPath" ILIKE '%\\rundll32.exe'
    OR "ProcessPath" ILIKE '%\\certutil.exe'
    OR "ProcessPath" ILIKE '%\\bitsadmin.exe'
    OR "ProcessPath" ILIKE '%\\wmic.exe'
    OR "ProcessPath" ILIKE '%\\msiexec.exe'
    OR "ProcessPath" ILIKE '%\\curl.exe'
    OR "ProcessPath" ILIKE '%\\schtasks.exe'
  )
LAST 24 HOURS
ORDER BY RiskScore DESC, starttime DESC
high severity high confidence

QRadar AQL query detecting Office applications (Word, Excel, PowerPoint, Outlook, OneNote, Publisher, Access) spawning LOLBins and script interpreters via Sysmon Event ID 1 (Process Create). Assigns risk scores of 90 for high-risk child processes (mshta, cscript, wscript, regsvr32, certutil, bitsadmin) and 75 for other suspicious children. Requires Sysmon custom properties ParentProcessPath, ProcessPath, and CommandLine to be mapped in QRadar DSM.

Data Sources

IBM QRadar SIEMMicrosoft Sysmon via Windows Event Log (Event ID 1)QRadar DSM with custom Sysmon property extraction

Required Tables

events

False Positives & Tuning

  • Automated report generation workflows using Excel with macros that call cmd.exe or PowerShell to execute batch file post-processing — create a QRadar building block to exclude known service account usernames (e.g., SVC_REPORTS) from this rule
  • Software deployment tools (PDQ Deploy, SCCM) that open Office documents during package installation and may spawn cmd.exe — exclude by source IP ranges of deployment servers in the WHERE clause
  • Third-party Office add-ins (e.g., DocuSign, Adobe, Salesforce for Outlook) that use embedded scripts or helper executables — review CommandLine values and whitelist specific signed binaries with known-good argument patterns
Download portable Sigma rule (.yml)

Other platforms for THREAT-InitialAccess-PhishingMacro

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Office Macro Child Process Simulation (Excel)

    Expected signal: Sysmon Event ID 1: Excel.exe spawning cmd.exe. Parent process chain: explorer.exe > excel.exe > cmd.exe.

Last updated: 2026-04-25 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for THREAT-InitialAccess-PhishingMacro including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1566.001Spearphishing Attachment

Related Techniques

T1566.001Spearphishing AttachmentT1059.005Visual BasicT1204.002Malicious FileT1027.006HTML SmugglingT1553.005Mark-of-the-Web BypassT1547.001Registry Run Keys / Startup Folder

Same Tactic: Initial Access

Popular Detections