Template Injection

Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. [1]

Properties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.

Adversaries may abuse this technology to initially conceal malicious code to be executed via documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. [2] These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. [3] Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. [4]

This technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. [5] [6] [7]

ID: T1221
Sub-techniques:  No sub-techniques
Tactic: Defense Evasion
Platforms: Windows
Permissions Required: User
Data Sources: Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Process: Process Creation
Defense Bypassed: Static File Analysis
Contributors: Brian Wiltse @evalstrings; Patrick Campbell, @pjcampbe11
Version: 1.2
Created: 17 October 2018
Last Modified: 29 April 2020

Procedure Examples

ID Name Description
G0007 APT28

APT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. [8]

G0079 DarkHydrus

DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication.[9]

G0074 Dragonfly 2.0

Dragonfly 2.0 has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication.[10][11]

G0101 Frankenstein

Frankenstein has used trojanized documents that retrieve remote templates from an adversary-controlled website.[12]

G0047 Gamaredon Group

Gamaredon Group has used DOCX files to download malicious DOT document templates. Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems.[13][14]

G0100 Inception

Inception has used decoy documents to load malicious remote payloads via HTTP.[15]

G0081 Tropic Trooper

Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document.[16]


ID Mitigation Description
M1049 Antivirus/Antimalware

Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.[5]

M1042 Disable or Remove Feature or Program

Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents [17], though this setting may not mitigate the Forced Authentication use for this technique.

M1031 Network Intrusion Prevention

Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.[5]

M1017 User Training

Train users to identify social engineering techniques and spearphishing emails.


Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: PowerShell), or other suspicious actions that could relate to post-compromise behavior.