AN1388: Analytic 1388

Malicious macros or embedded objects hidden within Office documents by renaming streams or using hidden OLE objects. Defender view: detection of hidden macro streams or objects in documents correlated with anomalous execution.

EnterpriseAN1388AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN1388 matters because malicious Office documents can hide macros or embedded objects in ways that basic file checks may miss. For leaders, the decision point is whether document security depends only on visible macro indicators, or whether the organization can inspect Office internals and correlate suspicious document structure with abnormal execution behavior.

Executive priority

Prioritize this where Office documents are a material business workflow, especially in email, collaboration, finance, legal, HR, or supplier exchange processes. The value is resilience and evidence: can the organization prove it inspects risky document content, detects abnormal Office-driven execution, and has an incident path for suspicious documents before they disrupt operations?

Technical view

Validate coverage for Office Suite documents containing renamed streams or hidden OLE objects, then correlate those findings with anomalous execution associated with the document or Office application. Because ATT&CK provides no separate detection logic or tactic mapping for this analytic, SOC teams should treat it as a detection-validation requirement: confirm parser depth, document metadata visibility, and endpoint execution correlation rather than assuming standard macro detection is sufficient.

Likely telemetry

Office document static-analysis results, including macro and OLE object indicators
OLE stream names, object metadata, and evidence of renamed or hidden streams
File provenance and delivery context for Office documents where available
Endpoint execution telemetry showing activity associated with Office applications or opened documents
Alert correlation records linking document analysis findings to anomalous execution

Detection direction

Test whether document inspection tools can identify hidden macro streams and hidden OLE objects, not just visible macros.
Correlate suspicious document internals with anomalous execution to reduce noise from benign complex Office files.
Review false positives from legitimate Office documents that use embedded objects or unusual document structures.
Check blind spots in encrypted, password-protected, archived, or externally hosted documents if those are present in local workflows.
Because no official detection logic is supplied, require local validation with representative Office files and known-good business documents.

Mitigation priorities

Reduce macro and embedded-object risk through policy controls appropriate to business workflows.
Route inbound and externally sourced Office documents through inspection processes capable of parsing Office internals.
Ensure endpoint monitoring can connect Office document activity to subsequent anomalous execution.
Define IR handling for suspicious Office documents, including containment, file preservation, and user-impact triage.
Maintain audit evidence showing document inspection, macro policy enforcement, and alert-review procedures.

Analyst notes and limits

This object is a detection analytic for Office Suite behavior: hidden macro streams or hidden OLE objects in Office documents, correlated with anomalous execution. There are no supplied ATT&CK relationships, tactics, aliases, or detailed detection logic, so the take focuses on defensive validation rather than technique attribution.

The source does not provide official detection content beyond the short description, and no relationships identify specific techniques, software, groups, or mitigations. Local telemetry, document-handling workflows, and control configuration are required to determine actual coverage.

Official MITRE ATT&CK definition

Analytic 1388

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: e8d87ce189496ce0...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`e8d87ce18949…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1388
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use