Office Macro File Download

Hunt Hypothesis

The hypothesis is that an adversary is attempting to exfiltrate data or deploy malware by leveraging macro-enabled Office documents downloaded through a web browser or email client. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage malware execution or data theft attempts that may bypass traditional detection methods.

Detection Rule

Sigma (Original)

title: Office Macro File Download
id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
related:
    - id: 91174a41-dc8f-401b-be89-7bfc140612a0
      type: similar
status: test
description: |
    Detects the creation of a new office macro files on the system via an application (browser, mail client).
    This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
    - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2025-10-29
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    category: file_event
    product: windows
detection:
    selection_processes:
        Image|endswith:
            # Email clients
            - '\RuntimeBroker.exe' # Windows Email clients uses RuntimeBroker to create the files
            - '\outlook.exe'
            - '\thunderbird.exe'
            # Browsers
            - '\brave.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\iexplore.exe'
            - '\maxthon.exe'
            - '\MicrosoftEdge.exe'
            - '\msedge.exe'
            - '\msedgewebview2.exe'
            - '\opera.exe'
            - '\safari.exe'
            - '\seamonkey.exe'
            - '\vivaldi.exe'
            - '\whale.exe'
    selection_ext:
        - TargetFilename|endswith:
              - '.docm'
              - '.dotm'
              - '.xlsm'
              - '.xltm'
              - '.potm'
              - '.pptm'
        - TargetFilename|contains:
              - '.docm:Zone'
              - '.dotm:Zone'
              - '.xlsm:Zone'
              - '.xltm:Zone'
              - '.potm:Zone'
              - '.pptm:Zone'
    condition: all of selection_*
falsepositives:
    - Legitimate macro files downloaded from the internet
    - Legitimate macro files sent as attachments via emails
level: low

KQL (Azure Sentinel)

imFileEvent
| where (TargetFilePath endswith "\\RuntimeBroker.exe" or TargetFilePath endswith "\\outlook.exe" or TargetFilePath endswith "\\thunderbird.exe" or TargetFilePath endswith "\\brave.exe" or TargetFilePath endswith "\\chrome.exe" or TargetFilePath endswith "\\firefox.exe" or TargetFilePath endswith "\\iexplore.exe" or TargetFilePath endswith "\\maxthon.exe" or TargetFilePath endswith "\\MicrosoftEdge.exe" or TargetFilePath endswith "\\msedge.exe" or TargetFilePath endswith "\\msedgewebview2.exe" or TargetFilePath endswith "\\opera.exe" or TargetFilePath endswith "\\safari.exe" or TargetFilePath endswith "\\seamonkey.exe" or TargetFilePath endswith "\\vivaldi.exe" or TargetFilePath endswith "\\whale.exe") and ((TargetFileName endswith ".docm" or TargetFileName endswith ".dotm" or TargetFileName endswith ".xlsm" or TargetFileName endswith ".xltm" or TargetFileName endswith ".potm" or TargetFileName endswith ".pptm") or (TargetFileName contains ".docm:Zone" or TargetFileName contains ".dotm:Zone" or TargetFileName contains ".xlsm:Zone" or TargetFileName contains ".xltm:Zone" or TargetFileName contains ".potm:Zone" or TargetFileName contains ".pptm:Zone"))

False Positive Guidance

• Scenario: User downloads a legitimate macro-enabled document from a trusted internal SharePoint site
  Filter/Exclusion: Check the source URL against a whitelist of internal SharePoint sites. Example: source_ip = 10.0.0.0/24 or url contains "internal.sharepoint.com"

• Scenario: System administrator deploys a scheduled job that generates a macro-enabled Excel file for reporting purposes
  Filter/Exclusion: Filter by user account (e.g., user = "admin_reporting") or check the file path (e.g., file_path contains "/reports/”)

• Scenario: IT team uses Microsoft Word to create a macro-enabled template for internal use
  Filter/Exclusion: Filter by file extension (e.g., file_extension = ".dotm") and check the user context (e.g., user = "it_support") or file location (e.g., file_path contains "/templates/”)

• Scenario: A user receives a macro-enabled document via email from a known internal vendor and opens it in Outlook
  Filter/Exclusion: Check the sender’s email domain (e.g., sender_domain = "vendorcompany.com") or use email filtering rules to exclude known internal vendors

• Scenario: A developer uses Visual Studio to generate a macro-enabled Word document as part of an automation script
  Filter/Exclusion: Filter by process name (e.g., process = "devenv.exe") or check the file path (e.g., file_path contains "/dev/automation/”)

MITRE ATT&CK Context

• Tactic: Initial Access
• Technique: T1566.001