{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/todesk.app/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Word","Microsoft Outlook","Microsoft Excel","Microsoft PowerPoint","Microsoft OneNote","ToDesk.app","JumpCloud Agent","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["endpoint","macos","initial_access","microsoft_office"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Apple","ToDesk","JumpCloud","Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious child processes spawned by Microsoft Office applications (Word, PowerPoint, Excel, Outlook, and OneNote) on macOS systems. Attackers often exploit Office applications through malicious macros or document vulnerabilities to execute arbitrary code. This technique allows them to gain an initial foothold on the system. The rule focuses on detecting the execution of scripting languages and system utilities such as \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ebash\u003c/code\u003e, \u003ccode\u003eosascript\u003c/code\u003e, and \u003ccode\u003epython\u003c/code\u003e as child processes of Office applications, indicating potential malicious activity. The rule logic incorporates filters to reduce false positives related to legitimate software behavior and system administration tasks. The rule was last updated on 2026/05/07 and requires Elastic Defend for data collection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious document (e.g., Word, Excel) received via spearphishing (T1566.001).\u003c/li\u003e\n\u003cli\u003eThe document contains a malicious macro or exploits a vulnerability in the Office application (T1203, T1204.002).\u003c/li\u003e\n\u003cli\u003eUpon execution, the macro or exploit triggers the Office application to execute a shell command (T1059.004).\u003c/li\u003e\n\u003cli\u003eThe shell command executes a scripting interpreter like \u003ccode\u003e/bin/bash\u003c/code\u003e or \u003ccode\u003e/usr/bin/python\u003c/code\u003e to run malicious code (T1059.004, T1059.006).\u003c/li\u003e\n\u003cli\u003eThe malicious code downloads additional payloads or executes system commands using utilities like \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003eosascript\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the system and can perform further actions such as reconnaissance or persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker may use \u003ccode\u003eplutil\u003c/code\u003e or \u003ccode\u003ePlistBuddy\u003c/code\u003e to modify system configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker may use \u003ccode\u003exattr\u003c/code\u003e to remove file quarantine attributes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to install malware, steal sensitive information, or perform other malicious activities. The targeted applications are widely used in enterprise environments, making this a potentially high-impact threat. Although the rule does not specify the number of affected organizations or incidents, the widespread use of Microsoft Office applications on macOS means many systems are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided EQL rule to your Elastic Security environment to detect suspicious child processes of MS Office applications on macOS (rule).\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend with the \u0026ldquo;Complete EDR (Endpoint Detection and Response)\u0026rdquo; configuration setting to ensure required data is collected (setup).\u003c/li\u003e\n\u003cli\u003eReview and tune the rule\u0026rsquo;s filter conditions based on your organization\u0026rsquo;s environment to minimize false positives, paying attention to the processes and arguments listed in the rule query (query).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized scripting languages and utilities to prevent exploitation through Office applications (rule).\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening suspicious attachments and enabling macros in Office documents (T1566.001, T1204.002).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T16:08:41Z","date_published":"2026-05-11T16:08:41Z","id":"https://feed.craftedsignal.io/briefs/2026-05-suspicious-office-child-macos/","summary":"This rule identifies suspicious child processes of Microsoft Office applications on macOS, which often result from exploitation or malicious macros, by detecting unexpected processes like curl, bash, osascript, and python spawned by Office apps, while filtering out false positives related to product version discovery, error reporting, and legitimate software.","title":"Suspicious macOS MS Office Child Process","url":"https://feed.craftedsignal.io/briefs/2026-05-suspicious-office-child-macos/"}],"language":"en","title":"CraftedSignal Threat Feed — ToDesk.app","version":"https://jsonfeed.org/version/1.1"}