Excel

Adversaries may exploit Microsoft Office applications to execute malicious JScript or VBScript by leveraging the Microsoft.XMLDOM COM interface to process and transform XML documents using XSL scripts, potentially leading to initial access or defense evasion.

The WindShift APT group is targeting Middle Eastern governments with a first-stage macOS implant called OSX.WindTail, abusing custom URL schemes for initial infection and establishing persistence via login items, while decrypting embedded strings to identify file extensions of interest.

Detection of taskschd.dll image loads from Microsoft Office applications indicates potential COM-based scheduled task creation for persistence, bypassing traditional schtasks.exe usage.

A logic flaw in Microsoft Excel allows remote code execution on macOS via malicious XLM macros in SYLK files, bypassing the 'Disable all macros without notification' setting.

The creation of an XLL file outside of typical locations can indicate an attempt to abuse Excel COM objects to load and execute a malicious XLL payload, often used in spearphishing attacks to achieve remote code execution.

This alert identifies suspicious network connections initiated by the command prompt (cmd.exe) when executed with arguments indicative of script execution, remote resource access, or originating from Microsoft Office applications, which is a common tactic for downloading payloads or establishing command and control.