title: Phishing Document Macro Execution and Initial Access (THREAT-InitialAccess-PhishingMacro)
id: df00tech-threat-initialaccess-phishingmacro
status: experimental
description: "Despite Microsoft's macro-blocking default settings (Block macros from the internet in Office 2016+, enabled by default since 2022), phishing document macro execution continues to be a primary initial access vector for SMBs. Attackers have adapted: moving to ISO/IMG file containers that strip the Mark-of-the-Web (MOTW) flag, using template injection attacks (DOTM/XLTM), abusing OneNote .one files (dropped in 2023 but resurfaced with .onepkg), and targeting users who have manually disabled macro blocking via Group Policy misconfiguration or social engineering ('Enable content to view this document'). QakBot successors (Pikabot, DarkGate), TA577, and Lazarus Group are documented using this technique against UK SMBs. NCSC 2025 advisory noted macro-based attacks persist in 40% of SMB ransomware intrusions due to inadequate macro restrictions."
references:
  - https://attack.mitre.org/techniques/THREAT-InitialAccess-PhishingMacro/
  - https://df00tech.com/detections/THREAT-InitialAccess-PhishingMacro
author: df00tech
date: 2026/04/25
tags:
  - attack.threat-initialaccess-phishingmacro
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate Office macros that invoke cmd.exe for file management operations (e.g., print macros, export scripts)"
  - Developers testing Office automation or VBA scripts who invoke PowerShell from Excel or Word
  - IT management scripts embedded in Office templates that run system commands (should be replaced with modern automation)
  - Legitimate ISO file usage for software installation followed by document viewing on the same day
level: high