Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation

calendar Jan 12, 2026  ·
Share on: linkedin copy

Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls.

Sublime rule (View on GitHub)

 1name: "Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation"
 2description: |
 3    Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls.
 4references:
 5  - "https://blog.f-secure.com/dechaining-macros-and-evading-edr/"
 6  - "https://delivr.to/payloads?id=0db5ac46-b59d-4bec-8252-59a40a0d9dec"
 7type: "rule"
 8authors:
 9  - twitter: "ajpc500"
10severity: "high"
11source: |
12  type.inbound
13  and any(attachments,
14          (
15            .file_extension in~ $file_extensions_macros
16            or (
17              .file_extension is null
18              and .file_type == "unknown"
19              and .content_type == "application/octet-stream"
20              and .size < 100000000
21            )
22          )
23          and any(file.explode(.),
24                  any(.scan.strings.strings,
25                      strings.ilike(.,
26                                    "*new:C08AFD90-F2A1-11D1-8455-00A0C91F3880*"
27                      )
28                  )
29          )
30  )  
31attack_types:
32  - "Malware/Ransomware"
33tactics_and_techniques:
34  - "Macros"
35  - "Scripting"
36detection_methods:
37  - "Content analysis"
38  - "File analysis"
39  - "Macro analysis"
40id: "527fc7f0-2750-57e2-bf2f-fbfea88b1004"
to-top