Detect UserForm object in MS Office document

Hunt Hypothesis

The presence of a UserForm object in an MS Office document may indicate an attempt to embed malicious code for execution within a document. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential document-based attacks that could bypass traditional detection mechanisms.

YARA Rule

rule Contains_UserForm_Object
{
	meta:
		author = "Martin Willing (https://evild3ad.com)"
		description = "Detect UserForm object in MS Office document"
		reference = "https://msdn.microsoft.com/en-us/library/office/gg264663.aspx"
		date = "2016-03-05"
		filetype = "Office documents"
		
	strings:
		$a = "UserForm1"
		$b = "TextBox1"
		$c = "Microsoft Forms 2.0"
	
	condition:
	 	all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://msdn.microsoft.com/en-us/library/office/gg264663.aspx
• Source Rule

False Positive Guidance

• Scenario: UserForm used in a legitimate business application
  Description: A developer uses a UserForm in a custom Microsoft Excel add-in to collect user input for reporting purposes.
  Filter/Exclusion: Exclude documents created by known internal development tools (e.g., Excel Add-in: MyReportingTool) or filter by user account (e.g., user = dev-support-team).

• Scenario: Scheduled job generates MS Office documents with UserForm
  Description: A scheduled PowerShell script generates Excel files with embedded UserForms for automated data collection.
  Filter/Exclusion: Exclude files generated by specific scheduled tasks (e.g., TaskName = "DailyDataExportJob") or filter by file creation time (e.g., file_creation_time = daily_schedule_window).

• Scenario: Admin task creates template with UserForm for standard reporting
  Description: An administrator creates a Word template with a UserForm to standardize data entry across the organization.
  Filter/Exclusion: Exclude files with specific template identifiers (e.g., file_name = "StandardReportTemplate.dotx") or filter by user (e.g., user = admin-reporting).

• Scenario: UserForm used in a training document for internal use
  Description: A training document in PowerPoint includes a UserForm to collect feedback from employees during a workshop.
  Filter/Exclusion: Exclude files created by specific training tools (e.g., PowerPoint Add-in: TrainingTool) or filter by department (e.g., department = training).

• Scenario: UserForm embedded in a legacy system integration file
  Description: A legacy system integration file (e.g., a VBA-enabled Excel file) uses a UserForm to interface with an older application.
  Filter/Exclusion: Exclude files with known legacy system identifiers (e.g.,