Adversaries inject VBA macros into Office templates such as Normal.dotm or Personal.xlsb or redirect Office template load path via registry key (GlobalDotName) to gain persistence. Template macros trigger execution of malicious code on application startup.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13, 14 |
| Command Execution (DC0064) | WinEventLog:Microsoft-Office-Alerts | Office application warning or alert on macro execution from template |
| Field | Description |
|---|---|
| TemplatePath | Path to Normal.dotm, Personal.xlsb, or Excel/Word startup templates may vary by Office version and user |
| RegistryPath | GlobalDotName or equivalent registry keys may differ across Office versions or deployments |
| TimeWindow | Office process creation and macro execution timing after system or user login |
| UserContext | May be scoped to high-value users or those with access to sensitive templates |
Malicious VBA macros embedded in base templates like Normal.dotm or Personal.xlsb are automatically loaded and executed at startup. Template path may be hijacked to load a remote or attacker-controlled template via GlobalDotName registry setting.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | m365:unified | Set-Mailbox, Set-MailboxPolicy, Set-TrustedLocation |
| Field | Description |
|---|---|
| TemplateSource | Macros may be embedded in local user templates or retrieved from shared network paths |
| MacroSecurityLevel | Macro execution policy (disabled, warn, enabled) varies by tenant or user configuration |