Tactic or Technique: Macros

Attackers use malicious macros hidden inside Microsoft Office files to run code on your device when you open the document. These files often appear as routine business attachments, and when opened, they prompt you to "Enable Content." Clicking that button runs the macro, which can silently install malware, steal data, or give the attacker remote access.
Filenames often follow familiar patterns like “Invoice_March2025.xlsm” or “Contract_Review.docm,” and the message usually includes urgent or convincing language that encourages you to trust the file and enable macros.
Even with stronger security settings from Microsoft, this technique still works because it relies on familiarity. Office files are common in day-to-day work, and macros are a built-in feature. But enabling them in a file you weren’t expecting can result in ransomware, stolen credentials, or long-term access to your environment.
Attack Types (3):
Credential Phishing
BEC/Fraud
Malware/Ransomware
Detection Methods (13):
Exif analysis
File analysis
Computer Vision
Natural Language Understanding
QR code analysis
Sender analysis
Content analysis
Header analysis
Optical Character Recognition
Archive analysis
Macro analysis
OLE analysis
YARA
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Excel file with suspicious template identifier
3mo ago
Sep 17th, 2025
Sublime Security
Credential Phishing
Evasion
Macros
Exif analysis
File analysis
/feeds/core/detection-rules/attachment-excel-file-with-suspicious-template-identifier-40f84b4b
Attachment: XLSX file with suspicious print titles metadata
3mo ago
Sep 16th, 2025
Sublime Security
Credential Phishing
Evasion
Macros
File analysis
Exif analysis
/feeds/core/detection-rules/attachment-xlsx-file-with-suspicious-print-titles-metadata-4c265cbe
Attachment: QR code link with base64-encoded recipient address
5mo ago
Aug 5th, 2025
Sublime Security
Credential Phishing
QR code
Image as content
Social engineering
Evasion
PDF
Macros
Computer Vision
File analysis
Natural Language Understanding
QR code analysis
Sender analysis
/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Attachment: USDA bid invitation impersonation
5mo ago
Aug 5th, 2025
Sublime Security
BEC/Fraud
Impersonation: Brand
PDF
Macros
Social engineering
Content analysis
File analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493
Attachment: Macro files containing MHT content
5mo ago
Aug 5th, 2025
Sublime Security
Malware/Ransomware
Credential Phishing
Evasion
Macros
Scripting
Archive analysis
File analysis
Macro analysis
/feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b
Attachment: Potential sandbox evasion in Office file
5mo ago
Aug 5th, 2025
@ajpc500
Malware/Ransomware
Evasion
Macros
File analysis
Macro analysis
/feeds/core/detection-rules/attachment-potential-sandbox-evasion-in-office-file-1c591681
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
5mo ago
Aug 5th, 2025
@ajpc500
Malware/Ransomware
Macros
Scripting
Content analysis
File analysis
Macro analysis
/feeds/core/detection-rules/attachment-macro-with-suspected-use-of-com-shellbrowserwindow-object-for-process-creation-527fc7f0
Attachment soliciting user to enable macros
5mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Macros
Archive analysis
File analysis
Macro analysis
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/attachment-soliciting-user-to-enable-macros-e9d75515
Attachment with high risk VBA macro (unsolicited)
5mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Macros
File analysis
Macro analysis
OLE analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-high-risk-vba-macro-unsolicited-a2b20e16
Suspicious VBA macros from untrusted sender
5mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Macros
File analysis
Macro analysis
Sender analysis
/feeds/core/detection-rules/suspicious-vba-macros-from-untrusted-sender-37cec120
Attachment with auto-executing macro (unsolicited)
5mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Macros
Archive analysis
Header analysis
File analysis
Macro analysis
OLE analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-auto-executing-macro-unsolicited-af6624c3
Attachment: Encrypted Microsoft Office file (unsolicited)
5mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Encryption
Macros
Scripting
Archive analysis
File analysis
OLE analysis
Sender analysis
/feeds/core/detection-rules/attachment-encrypted-microsoft-office-file-unsolicited-1e47e953
Attachment with VBA macros from employee impersonation (unsolicited)
5mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Impersonation: Employee
Macros
Social engineering
Archive analysis
File analysis
Macro analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-vba-macros-from-employee-impersonation-unsolicited-9b262123
Attachment with auto-opening VBA macro (unsolicited)
5mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Macros
Archive analysis
File analysis
Macro analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-auto-opening-vba-macro-unsolicited-d48b3e53
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
9mo ago
Mar 21st, 2025
Sublime Security
Credential Phishing
Scripting
Macros
Exploit
Archive analysis
Content analysis
File analysis
/feeds/core/detection-rules/attachment-cve-2025-24071-microsoft-windows-file-explorer-spoofing-vulnerability-2e69fa0b
Attachment: Archive contains DLL-loading macro
3y ago
Dec 28th, 2023
Sublime Security
Malware/Ransomware
Exploit
LNK
Macros
Scripting
Archive analysis
File analysis
Macro analysis
YARA
/feeds/core/detection-rules/attachment-archive-contains-dll-loading-macro-3a193f5f
Attachment with macro calling executable
3y ago
Dec 19th, 2023
Sublime Security
Malware/Ransomware
Evasion
Macros
Archive analysis
File analysis
/feeds/core/detection-rules/attachment-with-macro-calling-executable-5ee6a197
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
3y ago
Dec 19th, 2023
Sublime Security
Malware/Ransomware
Exploit
Macros
Scripting
Archive analysis
Content analysis
File analysis
Macro analysis
OLE analysis
/feeds/core/detection-rules/attachment-cve-2021-40444-mshtml-remote-code-execution-vulnerability-8cefcf7f