Tactic or Technique: Macros

Attackers use malicious macros hidden inside Microsoft Office files to run code on your device when you open the document. These files often appear as routine business attachments, and when opened, they prompt you to "Enable Content." Clicking that button runs the macro, which can silently install malware, steal data, or give the attacker remote access.
Filenames often follow familiar patterns like “Invoice_March2025.xlsm” or “Contract_Review.docm,” and the message usually includes urgent or convincing language that encourages you to trust the file and enable macros.
Even with stronger security settings from Microsoft, this technique still works because it relies on familiarity. Office files are common in day-to-day work, and macros are a built-in feature. But enabling them in a file you weren’t expecting can result in ransomware, stolen credentials, or long-term access to your environment.
Attack Types (3):
Credential Phishing
Malware/Ransomware
BEC/Fraud
Detection Methods (13):
Exif analysis
File analysis
Archive analysis
OLE analysis
Sender analysis
Macro analysis
Computer Vision
Natural Language Understanding
QR code analysis
Content analysis
Optical Character Recognition
Header analysis
YARA
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Excel file with suspicious template identifier
11d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Evasion
Macros
Exif analysis
File analysis
/feeds/core/detection-rules/attachment-excel-file-with-suspicious-template-identifier-40f84b4b
Attachment: Encrypted Microsoft Office file (unsolicited)
11d ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Encryption
Macros
Scripting
Archive analysis
File analysis
OLE analysis
Sender analysis
/feeds/core/detection-rules/attachment-encrypted-microsoft-office-file-unsolicited-1e47e953
Attachment: Macro files containing MHT content
11d ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Credential Phishing
Evasion
Macros
Scripting
Archive analysis
File analysis
Macro analysis
/feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b
Attachment: Potential sandbox evasion in Office file
11d ago
Jan 12th, 2026
@ajpc500
Malware/Ransomware
Evasion
Macros
File analysis
Macro analysis
/feeds/core/detection-rules/attachment-potential-sandbox-evasion-in-office-file-1c591681
Attachment: QR code link with base64-encoded recipient address
11d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
QR code
Image as content
Social engineering
Evasion
PDF
Macros
Computer Vision
File analysis
Natural Language Understanding
QR code analysis
Sender analysis
/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
11d ago
Jan 12th, 2026
@ajpc500
Malware/Ransomware
Macros
Scripting
Content analysis
File analysis
Macro analysis
/feeds/core/detection-rules/attachment-macro-with-suspected-use-of-com-shellbrowserwindow-object-for-process-creation-527fc7f0
Attachment soliciting user to enable macros
11d ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Macros
Archive analysis
File analysis
Macro analysis
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/attachment-soliciting-user-to-enable-macros-e9d75515
Suspicious VBA macros from untrusted sender
11d ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Macros
File analysis
Macro analysis
Sender analysis
/feeds/core/detection-rules/suspicious-vba-macros-from-untrusted-sender-37cec120
Attachment with auto-executing macro (unsolicited)
11d ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Macros
Archive analysis
Header analysis
File analysis
Macro analysis
OLE analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-auto-executing-macro-unsolicited-af6624c3
Attachment with auto-opening VBA macro (unsolicited)
11d ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Macros
Archive analysis
File analysis
Macro analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-auto-opening-vba-macro-unsolicited-d48b3e53
Attachment with macro calling executable
11d ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Evasion
Macros
Archive analysis
File analysis
/feeds/core/detection-rules/attachment-with-macro-calling-executable-5ee6a197
Attachment with VBA macros from employee impersonation (unsolicited)
11d ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Impersonation: Employee
Macros
Social engineering
Archive analysis
File analysis
Macro analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-vba-macros-from-employee-impersonation-unsolicited-9b262123
Attachment with high risk VBA macro (unsolicited)
11d ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Macros
File analysis
Macro analysis
OLE analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-high-risk-vba-macro-unsolicited-a2b20e16
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
11d ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Exploit
Macros
Scripting
Archive analysis
Content analysis
File analysis
Macro analysis
OLE analysis
/feeds/core/detection-rules/attachment-cve-2021-40444-mshtml-remote-code-execution-vulnerability-8cefcf7f
Attachment: XLSX file with suspicious print titles metadata
4mo ago
Sep 16th, 2025
Sublime Security
Credential Phishing
Evasion
Macros
File analysis
Exif analysis
/feeds/core/detection-rules/attachment-xlsx-file-with-suspicious-print-titles-metadata-4c265cbe
Attachment: USDA bid invitation impersonation
5mo ago
Aug 5th, 2025
Sublime Security
BEC/Fraud
Impersonation: Brand
PDF
Macros
Social engineering
Content analysis
File analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
10mo ago
Mar 21st, 2025
Sublime Security
Credential Phishing
Scripting
Macros
Exploit
Archive analysis
Content analysis
File analysis
/feeds/core/detection-rules/attachment-cve-2025-24071-microsoft-windows-file-explorer-spoofing-vulnerability-2e69fa0b
Attachment: Archive contains DLL-loading macro
3y ago
Dec 28th, 2023
Sublime Security
Malware/Ransomware
Exploit
LNK
Macros
Scripting
Archive analysis
File analysis
Macro analysis
YARA
/feeds/core/detection-rules/attachment-archive-contains-dll-loading-macro-3a193f5f