Tactic or Technique: Macros

Attackers use malicious macros hidden inside Microsoft Office files to run code on your device when you open the document. These files often appear as routine business attachments, and when opened, they prompt you to "Enable Content." Clicking that button runs the macro, which can silently install malware, steal data, or give the attacker remote access.
Filenames often follow familiar patterns like “Invoice_March2025.xlsm” or “Contract_Review.docm,” and the message usually includes urgent or convincing language that encourages you to trust the file and enable macros.
Even with stronger security settings from Microsoft, this technique still works because it relies on familiarity. Office files are common in day-to-day work, and macros are a built-in feature. But enabling them in a file you weren’t expecting can result in ransomware, stolen credentials, or long-term access to your environment.
Attack Types (3):
Malware/Ransomware
Credential Phishing
BEC/Fraud
Detection Methods (12):
Archive analysis
File analysis
Macro analysis
Content analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
Computer Vision
QR code analysis
YARA
OLE analysis
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Macro Files Containing MHT Content
17d ago
Jun 12th, 2025 UTC
Sublime Security
Malware/Ransomware
Credential Phishing
Evasion
Macros
Scripting
Archive analysis
File analysis
Macro analysis
/feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b
Attachment: USDA Bid Invitation Impersonation
1mo ago
May 23rd, 2025 UTC
Sublime Security
BEC/Fraud
Impersonation: Brand
PDF
Macros
Social engineering
Content analysis
File analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493
Attachment: QR Code Link With Base64-Encoded Recipient Address
3mo ago
Mar 27th, 2025 UTC
Sublime Security
Credential Phishing
QR code
Image as content
Social engineering
Evasion
PDF
Macros
Computer Vision
File analysis
Natural Language Understanding
QR code analysis
Sender analysis
/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
3mo ago
Mar 21st, 2025 UTC
Sublime Security
Credential Phishing
Scripting
Macros
Exploit
Archive analysis
Content analysis
File analysis
/feeds/core/detection-rules/attachment-cve-2025-24071-microsoft-windows-file-explorer-spoofing-vulnerability-2e69fa0b
Attachment with VBA macros from employee impersonation (unsolicited)
1y ago
Feb 26th, 2024 UTC
Sublime Security
Malware/Ransomware
Impersonation: Employee
Macros
Social engineering
Archive analysis
File analysis
Macro analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-vba-macros-from-employee-impersonation-unsolicited-9b262123
Suspicious VBA macros from untrusted sender
1y ago
Feb 23rd, 2024 UTC
Sublime Security
Malware/Ransomware
Macros
File analysis
Macro analysis
Sender analysis
/feeds/core/detection-rules/suspicious-vba-macros-from-untrusted-sender-37cec120
Attachment: Archive contains DLL-loading macro
2y ago
Dec 28th, 2023 UTC
Sublime Security
Malware/Ransomware
Exploit
LNK
Macros
Scripting
Archive analysis
File analysis
Macro analysis
YARA
/feeds/core/detection-rules/attachment-archive-contains-dll-loading-macro-3a193f5f
Attachment with auto-executing macro (unsolicited)
2y ago
Dec 19th, 2023 UTC
Sublime Security
Malware/Ransomware
Macros
Archive analysis
Header analysis
File analysis
Macro analysis
OLE analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-auto-executing-macro-unsolicited-af6624c3
Attachment: Encrypted Microsoft Office file (unsolicited)
2y ago
Dec 19th, 2023 UTC
Sublime Security
Malware/Ransomware
Encryption
Macros
Scripting
Archive analysis
File analysis
OLE analysis
Sender analysis
/feeds/core/detection-rules/attachment-encrypted-microsoft-office-file-unsolicited-1e47e953
Attachment soliciting user to enable macros
2y ago
Dec 19th, 2023 UTC
Sublime Security
Malware/Ransomware
Macros
Archive analysis
File analysis
Macro analysis
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/attachment-soliciting-user-to-enable-macros-e9d75515
Attachment with auto-opening VBA macro (unsolicited)
2y ago
Dec 19th, 2023 UTC
Sublime Security
Malware/Ransomware
Macros
Archive analysis
File analysis
Macro analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-auto-opening-vba-macro-unsolicited-d48b3e53
Attachment with high risk VBA macro (unsolicited)
2y ago
Dec 19th, 2023 UTC
Sublime Security
Malware/Ransomware
Macros
File analysis
Macro analysis
OLE analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-high-risk-vba-macro-unsolicited-a2b20e16
Attachment with macro calling executable
2y ago
Dec 19th, 2023 UTC
Sublime Security
Malware/Ransomware
Evasion
Macros
Archive analysis
File analysis
/feeds/core/detection-rules/attachment-with-macro-calling-executable-5ee6a197
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
2y ago
Dec 19th, 2023 UTC
Sublime Security
Malware/Ransomware
Exploit
Macros
Scripting
Archive analysis
Content analysis
File analysis
Macro analysis
OLE analysis
/feeds/core/detection-rules/attachment-cve-2021-40444-mshtml-remote-code-execution-vulnerability-8cefcf7f
Attachment: Potential Sandbox Evasion in Office File
2y ago
Dec 19th, 2023 UTC
@ajpc500
Malware/Ransomware
Evasion
Macros
File analysis
Macro analysis
/feeds/core/detection-rules/attachment-potential-sandbox-evasion-in-office-file-1c591681
Attachment: Macro with Suspected Use of COM ShellBrowserWindow Object for Process Creation
2y ago
Dec 19th, 2023 UTC
@ajpc500
Malware/Ransomware
Macros
Scripting
Content analysis
File analysis
Macro analysis
/feeds/core/detection-rules/attachment-macro-with-suspected-use-of-com-shellbrowserwindow-object-for-process-creation-527fc7f0