Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1405: Analytic 1405

Detects automation macros or VBA scripts in documents that access browser file paths, read cookie data, or attempt to exfiltrate browser session tokens over HTTP.

EnterpriseAN1405AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a high-risk document behavior: Office documents using macros or VBA to reach into browser-related files, read cookie data, or send browser session tokens over HTTP. For leaders, the practical issue is not just “malicious macros”; it is potential session theft from a user workstation, which can undermine identity controls if stolen browser sessions are reused before normal credential checks or MFA prompts become relevant.

Executive priority

Treat this as a validation point for identity, endpoint, email/document security, and SOC readiness. Executives should ask whether the organization can detect suspicious Office automation interacting with browser data and outbound HTTP, whether macro governance is enforced, and whether incident responders have playbooks for suspected browser session token exposure. This is also useful audit evidence for controls around Office macro risk, sensitive token handling, and monitoring of suspicious document-driven network activity.

Technical view

The supplied object is an ATT&CK detection analytic for the Office Suite platform. It describes detection of automation macros or VBA scripts in documents that access browser file paths, read cookie data, or attempt to exfiltrate browser session tokens over HTTP. Because no official detection logic or relationship context is provided, SOC and detection teams should validate whether they can correlate Office document or macro execution with file access to browser storage locations and outbound HTTP activity from Office-related processes or script hosts. IR teams should treat confirmed alerts as potential session-token exposure and scope affected users, endpoints, browser artifacts, and outbound destinations.

Likely telemetry

  • Office macro/VBA execution events or document automation telemetry
  • Endpoint process creation and parent-child process relationships involving Office applications
  • File access telemetry for browser profile, cookie, or session-related paths
  • Network telemetry showing outbound HTTP activity associated with Office or script-driven processes
  • EDR or host telemetry that can correlate document activity, file reads, and network connections

Detection direction

  • Validate that Office macro execution is visible; many environments have partial telemetry or only log blocked macro events.
  • Correlate Office document automation with access to browser file paths or cookie/session data rather than alerting on macros alone, which can be noisy in organizations with legitimate Office automation.
  • Prioritize cases where Office-related activity is followed by outbound HTTP, especially when the destination is unusual for the user, host, or document workflow.
  • Tune carefully for legitimate enterprise macros that read local files or make web requests, while treating browser cookie/session access as a higher-risk discriminator.
  • Because the ATT&CK object provides no official detection implementation, build and test local analytics against available EDR, Office, proxy, and network data sources before relying on coverage claims.

Mitigation priorities

  • Enforce macro governance for Office documents, including blocking or restricting untrusted macros where business processes allow.
  • Harden endpoint and document handling controls so Office automation has limited ability to access sensitive browser data.
  • Monitor and restrict suspicious outbound HTTP from Office-related processes where feasible.
  • Prepare IR procedures for suspected browser session token theft, including user/session review, token/session invalidation where supported, endpoint containment, and evidence preservation.
  • Use control validation exercises to confirm that endpoint, network, and identity teams can jointly investigate document-driven access to browser session material.
Analyst notes and limits

This take is based only on the supplied ATT&CK analytic AN1405. The object provides a concise behavior description but no official detection query, no ATT&CK tactic mapping, and no relationship context. The main defensive value is using the analytic as a coverage test across Office macro telemetry, endpoint file access, and outbound HTTP monitoring.

No active exploitation, threat actor attribution, impact level, specific browser paths, vendor implementation, or guaranteed detection coverage is supplied. Local environment details are required to determine which Office macro uses are legitimate, which browser artifacts are accessible, and whether telemetry can reliably tie document automation to file reads and HTTP activity.

Official MITRE ATT&CK definition

Analytic 1405

Detects automation macros or VBA scripts in documents that access browser file paths, read cookie data, or attempt to exfiltrate browser session tokens over HTTP.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fb1ac8e082c1d206...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fb1ac8e082c1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1405
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use