THREAT-InitialAccess-PhishingMacro Microsoft Sentinel · KQL

Detect Phishing Document Macro Execution and Initial Access in Microsoft Sentinel

Despite Microsoft's macro-blocking default settings (Block macros from the internet in Office 2016+, enabled by default since 2022), phishing document macro execution continues to be a primary initial access vector for SMBs. Attackers have adapted: moving to ISO/IMG file containers that strip the Mark-of-the-Web (MOTW) flag, using template injection attacks (DOTM/XLTM), abusing OneNote .one files (dropped in 2023 but resurfaced with .onepkg), and targeting users who have manually disabled macro blocking via Group Policy misconfiguration or social engineering ('Enable content to view this document'). QakBot successors (Pikabot, DarkGate), TA577, and Lazarus Group are documented using this technique against UK SMBs. NCSC 2025 advisory noted macro-based attacks persist in 40% of SMB ransomware intrusions due to inadequate macro restrictions.

MITRE ATT&CK

Tactic
Initial Access Execution

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// THREAT: Phishing Macro Initial Access Detection
// Detects malicious macro execution via suspicious child processes
// from Office applications and document-related processes

let OfficeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe",
    "outlook.exe", "onenote.exe", "msaccess.exe", "mspub.exe"]);
let SuspiciousChildren = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe",
    "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe",
    "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe",
    "curl.exe", "wget.exe", "schtasks.exe", "taskschd.msc"
]);
let HighRiskApps = dynamic(["wscript.exe", "cscript.exe", "mshta.exe",
    "regsvr32.exe", "certutil.exe", "bitsadmin.exe"]);
// Alert 1: Office app spawning suspicious child process
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (OfficeApps)
| where FileName in~ (SuspiciousChildren)
| extend HighRisk = FileName in~ (HighRiskApps)
| extend RiskScore = iff(HighRisk, 90, 75)
| project Timestamp, DeviceName, AccountName,
    FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    RiskScore
| extend ThreatType = "Macro_SuspiciousChildProcess";
// Alert 2: ISO/IMG container mounting followed by Office doc execution
let MountEvents = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".iso" or FileName endswith ".img" or FileName endswith ".vhd"
| where ActionType =~ "FileCreated"
| project MountTime=Timestamp, DeviceName, MountedFile=FileName, AccountName;
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (OfficeApps)
| where FileName in~ (SuspiciousChildren)
| join kind=inner MountEvents on DeviceName, AccountName
| where datetime_diff('minute', Timestamp, MountTime) between (0 .. 30)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, MountedFile
| extend ThreatType = "Macro_ISOContainer_Execution"
high severity high confidence

Two-vector phishing macro detection: (1) Office applications spawning suspicious child processes (cmd.exe, PowerShell, wscript.exe, mshta.exe, etc.) — the direct macro execution indicator; (2) ISO/IMG file mounting followed by Office document execution within 30 minutes — the MOTW-bypass pattern where attackers package documents in ISO containers to circumvent macro blocking. High-risk child processes (mshta, regsvr32, cscript) score 90; lower-risk (cmd, PowerShell) score 75.

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceFileEvents)Sysmon Event ID 1, 11Microsoft 365 Defender

Required Tables

DeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Legitimate Office macros that invoke cmd.exe for file management operations (e.g., print macros, export scripts)
  • Developers testing Office automation or VBA scripts who invoke PowerShell from Excel or Word
  • IT management scripts embedded in Office templates that run system commands (should be replaced with modern automation)
  • Legitimate ISO file usage for software installation followed by document viewing on the same day
Download portable Sigma rule (.yml)

Other platforms for THREAT-InitialAccess-PhishingMacro

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Office Macro Child Process Simulation (Excel)

    Expected signal: Sysmon Event ID 1: Excel.exe spawning cmd.exe. Parent process chain: explorer.exe > excel.exe > cmd.exe.

Last updated: 2026-04-25 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for THREAT-InitialAccess-PhishingMacro including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1566.001Spearphishing Attachment

Related Techniques

T1566.001Spearphishing AttachmentT1059.005Visual BasicT1204.002Malicious FileT1027.006HTML SmugglingT1553.005Mark-of-the-Web BypassT1547.001Registry Run Keys / Startup Folder

Same Tactic: Initial Access

Popular Detections