Product

Microsoft Excel

3 briefs RSS

Suspicious macOS MS Office Child Process

This rule identifies suspicious child processes of Microsoft Office applications on macOS, which often result from exploitation or malicious macros, by detecting unexpected processes like curl, bash, osascript, and python spawned by Office apps, while filtering out false positives related to product version discovery, error reporting, and legitimate software.

Microsoft Word +7 endpoint macos initial_access microsoft_office

2r 6t May 11, 2026

medium advisory

Suspicious MS Office Child Process

2 rules 18 TTPs

Detects suspicious child processes of Microsoft Office applications, indicating potential exploitation or malicious macros for initial access, defense evasion, and execution.

Microsoft Office +4 initial-access defense-evasion execution discovery windows

2r 18t Jan 3, 2024

high threat

Microsoft Excel XLM Macro Remote Code Execution on macOS

3 rules

A logic flaw in Microsoft Excel allows remote code execution on macOS via malicious XLM macros in SYLK files, bypassing the 'Disable all macros without notification' setting.

exploited Excel +4 xlm rce macro macos sylk

3r Jan 3, 2024