docx macro

Hunt Hypothesis

The detection rule identifies potential malicious activity through the presence of a macro-enabled DOCX file, which may indicate an adversary attempting to exploit document-based attack vectors. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could lead to persistent access or data exfiltration.

YARA Rule

rule docx_macro : mail
{
  strings:
    $header="PK" 
    $vbaStrings="word/vbaProject.bin" nocase

  condition:
    $header at 0 and $vbaStrings
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: User edits a document using Microsoft Word and saves it with embedded macros
  Filter/Exclusion: process.name != "WINWORD.EXE" or process.name != "MSWORD.EXE"

• Scenario: System administrator deploys a scheduled task that generates a .docx file with macros for automated reporting
  Filter/Exclusion: process.name != "SCHTASKS.EXE" or user.name != "Administrator"

• Scenario: IT team uses Microsoft Word to create a template with macros for internal use
  Filter/Exclusion: process.name != "WINWORD.EXE" or file.name != "template.docx"

• Scenario: A developer uses a macro-enabled .docx file to automate code formatting in a development environment
  Filter/Exclusion: process.name != "WINWORD.EXE" or user.group != "Developers"

• Scenario: A backup job generates a .docx file with macros to document system configurations
  Filter/Exclusion: process.name != "VSSVC.EXE" or process.name != "Bak.exe"