AN1302: Analytic 1302

This analytic matters because shared Office documents can become a code-execution path when macros, embedded scripts, or external references are added. For leaders, the practical issue is not just malware in a file; it is whether collaboration workflows allow a trusted document space to become an execution and incident-response problem.

Executive priority

Prioritize validation around shared document repositories and Office Suite controls: who can add or modify active content, whether macro/script execution is governed, and whether security teams can prove this through logs and inspection results. This is relevant to business continuity because document collaboration is often mission-critical, and weak visibility can delay triage when a suspicious shared file is reported.

Technical view

For SOC, detection engineering, and IR teams, validate coverage for Office Suite documents containing embedded macros, scripts, or external references that may execute code. Because the ATT&CK object provides no official detection logic and no relationship context, teams should focus on local evidence: document content inspection, Office security events, shared-file modification history, and endpoint telemetry showing Office applications invoking script or code-execution behavior where available.

Likely telemetry

Office Suite security and macro-related events
Document content inspection results for embedded macros, scripts, and external references
Shared document repository access, creation, and modification logs
File metadata and version history for shared documents
Endpoint process telemetry for Office applications and related child processes, where collected

Detection direction

Confirm whether shared Office documents are inspected for embedded macros, scripts, and external references before and after upload or modification.
Tune detections to distinguish expected business templates and approved automation from newly added or unusual active content.
Correlate document modification events with subsequent Office Suite execution behavior where endpoint telemetry exists.
Review blind spots in cloud or shared-document locations that are not covered by content scanning or centralized logging.
Because no official analytic logic is provided, require local baselining and testing before treating alerts as high confidence.

Mitigation priorities

Establish governance for macros, scripts, and external references in Office Suite documents, especially in shared repositories.
Limit who can create or modify documents containing active content in business-critical collaboration spaces.
Use document inspection and policy enforcement to flag or block unapproved embedded code or external references where feasible.
Preserve repository logging, document version history, and endpoint telemetry needed for investigation.
Include suspicious shared-document workflows in user reporting, SOC triage, and incident response playbooks.

Analyst notes and limits

This Glexia take is based only on ATT&CK analytic AN1302: an enterprise detection analytic for Office Suite platforms that detects embedded macros or scripts added to shared documents or external references used to execute code. No tactics, related techniques, detection pseudocode, data sources, or relationships were supplied.

Coverage and risk depend heavily on the organization’s Office Suite configuration, shared-document platforms, macro policy, content inspection depth, and endpoint logging. The supplied ATT&CK fields do not support claims about active exploitation, actor use, impact, or guaranteed detection.

Official MITRE ATT&CK definition

Analytic 1302

Detects embedded macros or scripts added to shared documents or use of external references to execute code.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 143782cb494a9c88...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`143782cb494a…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1302
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams