Tactic or Technique: Macros

Attackers use malicious macros hidden inside Microsoft Office files to run code on your device when you open the document. These files often appear as routine business attachments, and when opened, they prompt you to "Enable Content." Clicking that button runs the macro, which can silently install malware, steal data, or give the attacker remote access.
Filenames often follow familiar patterns like “Invoice_March2025.xlsm” or “Contract_Review.docm,” and the message usually includes urgent or convincing language that encourages you to trust the file and enable macros.
Even with stronger security settings from Microsoft, this technique still works because it relies on familiarity. Office files are common in day-to-day work, and macros are a built-in feature. But enabling them in a file you weren’t expecting can result in ransomware, stolen credentials, or long-term access to your environment.
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: USDA Bid Invitation Impersonation
14d ago
May 23rd, 2025
Sublime Security
/feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493
Attachment: QR Code Link With Base64-Encoded Recipient Address
2mo ago
Mar 27th, 2025
Sublime Security
/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
2mo ago
Mar 21st, 2025
Sublime Security
/feeds/core/detection-rules/attachment-cve-2025-24071-microsoft-windows-file-explorer-spoofing-vulnerability-2e69fa0b
Attachment with VBA macros from employee impersonation (unsolicited)
1y ago
Feb 26th, 2024
Sublime Security
/feeds/core/detection-rules/attachment-with-vba-macros-from-employee-impersonation-unsolicited-9b262123
Suspicious VBA macros from untrusted sender
1y ago
Feb 23rd, 2024
Sublime Security
/feeds/core/detection-rules/suspicious-vba-macros-from-untrusted-sender-37cec120
Attachment: Archive contains DLL-loading macro
2y ago
Dec 28th, 2023
Sublime Security
/feeds/core/detection-rules/attachment-archive-contains-dll-loading-macro-3a193f5f
Attachment soliciting user to enable macros
2y ago
Dec 19th, 2023
Sublime Security
/feeds/core/detection-rules/attachment-soliciting-user-to-enable-macros-e9d75515
Attachment with auto-executing macro (unsolicited)
2y ago
Dec 19th, 2023
Sublime Security
/feeds/core/detection-rules/attachment-with-auto-executing-macro-unsolicited-af6624c3
Attachment: Encrypted Microsoft Office file (unsolicited)
2y ago
Dec 19th, 2023
Sublime Security
/feeds/core/detection-rules/attachment-encrypted-microsoft-office-file-unsolicited-1e47e953
Attachment: Potential Sandbox Evasion in Office File
2y ago
Dec 19th, 2023
@ajpc500
/feeds/core/detection-rules/attachment-potential-sandbox-evasion-in-office-file-1c591681
Attachment with auto-opening VBA macro (unsolicited)
2y ago
Dec 19th, 2023
Sublime Security
/feeds/core/detection-rules/attachment-with-auto-opening-vba-macro-unsolicited-d48b3e53
Attachment with high risk VBA macro (unsolicited)
2y ago
Dec 19th, 2023
Sublime Security
/feeds/core/detection-rules/attachment-with-high-risk-vba-macro-unsolicited-a2b20e16
Attachment with macro calling executable
2y ago
Dec 19th, 2023
Sublime Security
/feeds/core/detection-rules/attachment-with-macro-calling-executable-5ee6a197
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
2y ago
Dec 19th, 2023
Sublime Security
/feeds/core/detection-rules/attachment-cve-2021-40444-mshtml-remote-code-execution-vulnerability-8cefcf7f
Attachment: Macro with Suspected Use of COM ShellBrowserWindow Object for Process Creation
2y ago
Dec 19th, 2023
@ajpc500
/feeds/core/detection-rules/attachment-macro-with-suspected-use-of-com-shellbrowserwindow-object-for-process-creation-527fc7f0