DET0012: Detection Strategy for VBA Stomping
This detection strategy matters because VBA Stomping is a stealth technique for hiding malicious VBA payloads in Microsoft Office documents by making the v...
Analyst context for executives and security teams
This detection strategy matters because VBA Stomping is a stealth technique for hiding malicious VBA payloads in Microsoft Office documents by making the visible VBA source look benign while compiled p-code remains the execution-relevant content. For leaders, the key issue is whether document inspection, email/content controls, SOC triage, and incident response preserve and analyze the right Office macro internals rather than relying only on visible macro source.
Executive priority
Prioritize this as a control-validation and evidence-readiness issue for phishing/document-borne risk. Ask whether the organization can identify macro-enabled Office files with mismatches between visible VBA source and compiled p-code, whether suspicious documents are retained for forensic review, and whether audit/compliance evidence can show how macro-capable documents are inspected or restricted. Budget decisions should focus on closing gaps in content inspection and incident response handling rather than assuming standard macro review is sufficient.
Technical view
The supplied detection strategy has no official detection text, platforms, or tactics, but it is explicitly related to ATT&CK technique T1564.007, VBA Stomping, under stealth. SOC and detection engineering teams should validate whether their document-analysis pipeline can parse embedded VBA module streams and PerformanceCache/p-code content, compare visible source against compiled content, and flag inconsistencies. IR teams should ensure suspect Office documents are collected intact so macro streams and p-code are not lost during handling.
Likely telemetry
- Macro-enabled Microsoft Office document samples and attachment metadata
- Extracted VBA module streams from Office documents
- PerformanceCache / p-code analysis artifacts where tooling supports them
- Visible VBA source code extracted from document modules
- Email, web, or file-ingress records showing delivery or transfer of macro-enabled Office files
Detection direction
- Validate that document scanning does not rely only on visible VBA source code, because the related technique specifically involves replacing source with benign data while compiled p-code remains relevant.
- Tune for mismatches or anomalies between VBA source streams and compiled p-code/PerformanceCache content when parsing is available.
- Confirm whether security tools preserve original files for secondary analysis; normalized text extraction alone may remove the evidence needed to evaluate VBA Stomping.
- Account for false positives from malformed, legacy, or tool-modified Office documents by requiring analyst review or corroborating context before escalation.
- Use the relationship to T1564.007 as the main analytic anchor; the detection-strategy object itself does not provide platform-specific logic or official detection steps.
Mitigation priorities
- Reduce business dependence on unrestricted macro-enabled Office documents where feasible.
- Route macro-capable documents through inspection workflows that can examine embedded VBA structures, not just visible source text.
- Preserve original suspicious documents during incident response for forensic review of module streams and p-code.
- Document macro-handling policy, inspection coverage, and exception processes for compliance and audit evidence.
- Where tooling lacks p-code or Office internals analysis, treat that as a known detection gap and prioritize compensating controls around document ingress and user workflow.
Analyst notes and limits
The strongest decision value is coverage validation: can the organization detect hidden macro content when source code appears benign? This is especially relevant to managed detection, IR readiness, threat-informed detection engineering, and compliance evidence around document controls. Local testing with representative Office documents is required to prove coverage.
The official detection-strategy object provides no description, detection text, tactics, platforms, aliases, or labels. The practical guidance here is derived only from the object name, its MITRE reference, and its relationship to T1564.007 VBA Stomping, whose supplied description is partial. No active exploitation, attribution, customer exposure, or guaranteed detection is asserted.
Detection Strategy for VBA Stomping
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1564.007 | VBA Stomping Sub-technique | This object detects VBA Stomping. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 610f048f827c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0012Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.