Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1437: Analytic 1437

Malicious VBA macros embedded in base templates like Normal.dotm or Personal.xlsb are automatically loaded and executed at startup. Template path may be hijacked to load a remote or attacker-controlled template via GlobalDotName registry setting.

EnterpriseAN1437AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic points to a persistence-style Office risk: macros placed in default templates such as Normal.dotm or Personal.xlsb can load automatically when users start Word or Excel. For leaders, the practical issue is not just “macro malware,” but whether the organization can prove that Office startup templates and related configuration paths are monitored and controlled, especially where documents are central to business operations.

Executive priority

Prioritize this as an Office hardening and evidence question: can security teams show who can modify global Office templates, whether startup template paths are locally controlled, and whether suspicious changes would be visible to SOC or incident response teams? The ATT&CK object does not provide impact or exploitation claims, but the behavior is material because trusted productivity applications may run attacker-controlled macro content at startup if template locations or registry settings are abused.

Technical view

Validate coverage for Office Suite environments where Word and Excel use base templates such as Normal.dotm and Personal.xlsb. Detection engineering should focus on unauthorized creation, modification, or replacement of these templates, and on changes to template path configuration including the GlobalDotName registry setting referenced by MITRE. Because no official detection logic or tactic is supplied, teams should build local baselines for legitimate template use, administrative changes, and expected macro-enabled templates before alerting broadly.

Likely telemetry

  • File creation and modification events for Office global/startup template files, including Normal.dotm and Personal.xlsb
  • Registry change telemetry for Office template path configuration, including GlobalDotName where applicable
  • Office application startup and document/template load activity where collected
  • Endpoint process telemetry showing Office applications starting and loading macro-enabled content
  • Administrative change records or endpoint management logs for approved Office template deployment

Detection direction

  • Baseline legitimate global template locations and approved macro-enabled templates before treating all template changes as malicious.
  • Alert on unexpected modification, replacement, or creation of Normal.dotm, Personal.xlsb, or other Office startup templates, especially outside managed deployment windows.
  • Monitor changes to Office template path settings, including GlobalDotName, with attention to paths that are remote, unusual, or not managed by the organization.
  • Tune for known business workflows that legitimately deploy templates, add-ins, or macros to reduce false positives.
  • Confirm that telemetry is collected from user endpoints where Office is installed; server- or perimeter-only monitoring is unlikely to answer this analytic.

Mitigation priorities

  • Restrict write access to Office global template locations to authorized users and managed deployment processes.
  • Use centralized Office configuration management where available to control trusted locations, macro policy, and template paths.
  • Review and approve business-required macro templates, then monitor for drift from the approved baseline.
  • Include Office template and registry-path checks in incident response triage for suspicious macro or Office startup behavior.
  • Maintain audit evidence showing template control ownership, approved exceptions, and monitoring coverage for compliance and readiness reviews.
Analyst notes and limits

This is an ATT&CK detection analytic for Office Suite behavior, not a full technique entry. The useful defensive takeaway is to validate control and visibility over Office startup templates and template path configuration. The supplied relationship context is empty, so this take does not infer associated techniques, malware, campaigns, or threat actors.

MITRE supplied no official detection text, no tactics, and no relationships for this object. The description names example templates and the GlobalDotName registry setting, but local Office versions, deployment methods, endpoint logging, and business macro usage determine what is observable and what should alert.

Official MITRE ATT&CK definition

Analytic 1437

Malicious VBA macros embedded in base templates like Normal.dotm or Personal.xlsb are automatically loaded and executed at startup. Template path may be hijacked to load a remote or attacker-controlled template via GlobalDotName registry setting.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4971f9efce8651d6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4971f9efce86…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1437
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use