Macros

Tactic or Technique: Macros

Attackers use malicious macros hidden inside Microsoft Office files to run code on your device when you open the document. These files often appear as routine business attachments, and when opened, they prompt you to "Enable Content." Clicking that button runs the macro, which can silently install malware, steal data, or give the attacker remote access.

Filenames often follow familiar patterns like “Invoice_March2025.xlsm” or “Contract_Review.docm,” and the message usually includes urgent or convincing language that encourages you to trust the file and enable macros.

Even with stronger security settings from Microsoft, this technique still works because it relies on familiarity. Office files are common in day-to-day work, and macros are a built-in feature. But enabling them in a file you weren’t expecting can result in ransomware, stolen credentials, or long-term access to your environment.

Attack Types (3):

Malware/Ransomware

Credential Phishing

BEC/Fraud

Detection Methods (12):

Natural Language Understanding

Optical Character Recognition

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Attachment: Macro Files Containing MHT Content	6d ago Jun 12th, 2025 UTC	Sublime Security	Malware/Ransomware Credential Phishing Evasion Macros Scripting Archive analysis File analysis Macro analysis	/feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b
Attachment: USDA Bid Invitation Impersonation	26d ago May 23rd, 2025 UTC	Sublime Security	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493
Attachment: QR Code Link With Base64-Encoded Recipient Address	2mo ago Mar 27th, 2025 UTC	Sublime Security	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability	2mo ago Mar 21st, 2025 UTC	Sublime Security	Credential Phishing Scripting Macros Exploit Archive analysis Content analysis File analysis	/feeds/core/detection-rules/attachment-cve-2025-24071-microsoft-windows-file-explorer-spoofing-vulnerability-2e69fa0b
Attachment with VBA macros from employee impersonation (unsolicited)	1y ago Feb 26th, 2024 UTC	Sublime Security	Malware/Ransomware Impersonation: Employee Macros Social engineering Archive analysis File analysis Macro analysis Sender analysis	/feeds/core/detection-rules/attachment-with-vba-macros-from-employee-impersonation-unsolicited-9b262123
Suspicious VBA macros from untrusted sender	1y ago Feb 23rd, 2024 UTC	Sublime Security	Malware/Ransomware Macros File analysis Macro analysis Sender analysis	/feeds/core/detection-rules/suspicious-vba-macros-from-untrusted-sender-37cec120
Attachment: Archive contains DLL-loading macro	2y ago Dec 28th, 2023 UTC	Sublime Security	Malware/Ransomware Exploit LNK Macros Scripting Archive analysis File analysis Macro analysis YARA	/feeds/core/detection-rules/attachment-archive-contains-dll-loading-macro-3a193f5f
Attachment with auto-executing macro (unsolicited)	2y ago Dec 19th, 2023 UTC	Sublime Security	Malware/Ransomware Macros Archive analysis Header analysis File analysis Macro analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-with-auto-executing-macro-unsolicited-af6624c3
Attachment: Encrypted Microsoft Office file (unsolicited)	2y ago Dec 19th, 2023 UTC	Sublime Security	Malware/Ransomware Encryption Macros Scripting Archive analysis File analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-encrypted-microsoft-office-file-unsolicited-1e47e953
Attachment soliciting user to enable macros	2y ago Dec 19th, 2023 UTC	Sublime Security	Malware/Ransomware Macros Archive analysis File analysis Macro analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-soliciting-user-to-enable-macros-e9d75515
Attachment with auto-opening VBA macro (unsolicited)	2y ago Dec 19th, 2023 UTC	Sublime Security	Malware/Ransomware Macros Archive analysis File analysis Macro analysis Sender analysis	/feeds/core/detection-rules/attachment-with-auto-opening-vba-macro-unsolicited-d48b3e53
Attachment with high risk VBA macro (unsolicited)	2y ago Dec 19th, 2023 UTC	Sublime Security	Malware/Ransomware Macros File analysis Macro analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-with-high-risk-vba-macro-unsolicited-a2b20e16
Attachment with macro calling executable	2y ago Dec 19th, 2023 UTC	Sublime Security	Malware/Ransomware Evasion Macros Archive analysis File analysis	/feeds/core/detection-rules/attachment-with-macro-calling-executable-5ee6a197
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability	2y ago Dec 19th, 2023 UTC	Sublime Security	Malware/Ransomware Exploit Macros Scripting Archive analysis Content analysis File analysis Macro analysis OLE analysis	/feeds/core/detection-rules/attachment-cve-2021-40444-mshtml-remote-code-execution-vulnerability-8cefcf7f
Attachment: Potential Sandbox Evasion in Office File	2y ago Dec 19th, 2023 UTC	@ajpc500	Malware/Ransomware Evasion Macros File analysis Macro analysis	/feeds/core/detection-rules/attachment-potential-sandbox-evasion-in-office-file-1c591681
Attachment: Macro with Suspected Use of COM ShellBrowserWindow Object for Process Creation	2y ago Dec 19th, 2023 UTC	@ajpc500	Malware/Ransomware Macros Scripting Content analysis File analysis Macro analysis	/feeds/core/detection-rules/attachment-macro-with-suspected-use-of-com-shellbrowserwindow-object-for-process-creation-527fc7f0