AN0191: Analytic 0191
Phishing via Office documents containing embedded macros or links that spawn processes. Detection relies on correlating Office application logs with suspicious child process execution and outbound network connections.
Analyst context for executives and security teams
This analytic matters because malicious Office documents can turn a routine phishing email into code execution, follow-on network activity, and an incident that starts on an endpoint but quickly becomes an identity and business-continuity problem. The supplied ATT&CK object focuses on detecting Office documents with embedded macros or links that spawn processes and make outbound connections, so the value is in proving that SOC teams can connect Office activity, child process creation, and network evidence into one investigation path.
Executive priority
Leaders should treat this as a validation point for phishing resilience and SOC readiness rather than a standalone control. The key business question is whether the organization can reliably see and investigate Office Suite activity that launches suspicious processes and communicates externally. This supports incident decision-making, audit evidence for monitoring coverage, and prioritization of controls around Office macro/link abuse, endpoint visibility, and outbound network monitoring.
Technical view
For SOC, detection engineering, and IR teams, validate that Office application activity can be correlated with child process execution and outbound network connections. Because no ATT&CK tactics or formal detection logic are supplied, teams should avoid assuming full coverage from a single alert. The practical test is whether an analyst can start from an Office process event, identify unusual spawned processes, and connect that activity to network telemetry for triage and containment decisions.
Likely telemetry
- Office application logs or activity records
- Endpoint process creation events showing Office applications spawning child processes
- Command-line and parent-child process metadata where available
- Outbound network connection logs from endpoints or network controls
- Security alerts related to macros, embedded links, or suspicious Office document behavior
Detection direction
- Correlate Office Suite process activity with child process execution rather than alerting only on document open events.
- Prioritize cases where Office-spawned processes are followed by outbound network connections.
- Tune for common business workflows that legitimately launch helper processes from Office applications to reduce false positives.
- Check for blind spots where endpoint telemetry lacks parent-child process detail or where outbound network visibility is incomplete.
- Use this analytic as a coverage test for phishing investigation workflows, since the official detection field is not provided.
Mitigation priorities
- Reduce exposure to risky Office document behavior through policy and configuration controls for macros and embedded content where appropriate.
- Ensure endpoint monitoring captures process lineage for Office applications.
- Maintain outbound network monitoring sufficient to connect endpoint process activity with external communications.
- Exercise phishing-driven incident response playbooks that include Office process investigation and network containment decisions.
- Document monitoring evidence for compliance or assurance programs that require proof of phishing detection capability.
Analyst notes and limits
The object is a detection analytic for the Office Suite platform. Its description identifies phishing via Office documents containing embedded macros or links that spawn processes, with detection relying on correlation across Office application logs, suspicious child processes, and outbound network connections. No relationships, tactics, aliases, or detailed official detection logic were supplied.
This take is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, attribution, prevalence, impact, or guaranteed detection. Local logging architecture, Office configuration, endpoint tooling, and network visibility are required to determine actual coverage.
Analytic 0191
Phishing via Office documents containing embedded macros or links that spawn processes. Detection relies on correlating Office application logs with suspicious child process execution and outbound network connections.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 74495d6fa987… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0191Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.