THREAT-InitialAccess-PhishingMacro Sumo Logic CSE · Sumo

Detect Phishing Document Macro Execution and Initial Access in Sumo Logic CSE

Despite Microsoft's macro-blocking default settings (Block macros from the internet in Office 2016+, enabled by default since 2022), phishing document macro execution continues to be a primary initial access vector for SMBs. Attackers have adapted: moving to ISO/IMG file containers that strip the Mark-of-the-Web (MOTW) flag, using template injection attacks (DOTM/XLTM), abusing OneNote .one files (dropped in 2023 but resurfaced with .onepkg), and targeting users who have manually disabled macro blocking via Group Policy misconfiguration or social engineering ('Enable content to view this document'). QakBot successors (Pikabot, DarkGate), TA577, and Lazarus Group are documented using this technique against UK SMBs. NCSC 2025 advisory noted macro-based attacks persist in 40% of SMB ransomware intrusions due to inadequate macro restrictions.

MITRE ATT&CK

Tactic
Initial Access Execution

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint* OR _sourceCategory=*wineventlog*)
| where EventID = "1" OR event_id = "1"
| parse field=ParentImage "*\\*" as _parentDir, ParentProcessName nodrop
| parse field=Image "*\\*" as _procDir, ProcessName nodrop
| where ParentProcessName in ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "mspub.exe", "msaccess.exe")
| where ProcessName in ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe", "curl.exe", "wget.exe", "schtasks.exe")
| eval HighRisk = if (ProcessName in ("mshta.exe", "cscript.exe", "wscript.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe"), "YES", "NO")
| eval RiskScore = if (HighRisk = "YES", 90, 75)
| eval ThreatActors = "QakBot successor (Pikabot/DarkGate), TA577, Lazarus Group"
| eval ThreatType = "Macro_SuspiciousChildProcess"
| fields _sourceHost, User, ParentProcessName, ProcessName, CommandLine, RiskScore, HighRisk, ThreatType, ThreatActors
| count by _sourceHost, User, ParentProcessName, ProcessName, HighRisk, RiskScore, ThreatType
| sort - RiskScore
high severity high confidence

Sumo Logic CSE query detecting Microsoft Office applications spawning suspicious child processes consistent with macro-based phishing initial access. Parses Sysmon Event ID 1 fields using Sumo's parse operator to extract ParentProcessName and ProcessName from Image/ParentImage paths. Risk-scores results with 90 for high-risk LOLBins (mshta, cscript, wscript, regsvr32, certutil, bitsadmin) and 75 for others. Covers QakBot successors, Pikabot, DarkGate, TA577, and Lazarus Group delivery patterns.

Data Sources

Sumo Logic Cloud SIEMSysmon Event ID 1 (Process Create) via Sumo Installed CollectorWindows Event Log collector with Sysmon operational channel

Required Tables

Sysmon Process Create events (EventID 1) ingested under appropriate _sourceCategory

False Positives & Tuning

  • Finance department Excel dashboards with approved macros that invoke PowerShell scripts for data pull from internal APIs — add a Sumo Logic allowlist lookup table of approved automation host/user pairs and join against it to suppress known-good events
  • IT support workflows that use Outlook rules to trigger cmd.exe-based scripts for ticket creation or alert forwarding — investigate the CommandLine field; legitimate automation will have static, recognisable argument patterns rather than obfuscated or download-oriented commands
  • Legacy line-of-business applications using Word or Excel automation that call regsvr32.exe to register COM components during startup — correlate with software deployment windows and suppress events within change-freeze windows where deployment activity is expected
Download portable Sigma rule (.yml)

Other platforms for THREAT-InitialAccess-PhishingMacro

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Office Macro Child Process Simulation (Excel)

    Expected signal: Sysmon Event ID 1: Excel.exe spawning cmd.exe. Parent process chain: explorer.exe > excel.exe > cmd.exe.

Last updated: 2026-04-25 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for THREAT-InitialAccess-PhishingMacro including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1566.001Spearphishing Attachment

Related Techniques

T1566.001Spearphishing AttachmentT1059.005Visual BasicT1204.002Malicious FileT1027.006HTML SmugglingT1553.005Mark-of-the-Web BypassT1547.001Registry Run Keys / Startup Folder

Same Tactic: Initial Access

Popular Detections