MITRE ATT&CK Technique
Description
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017) Properties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded. Adversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.(Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.(Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.(Citation: MalwareBytes Template Injection OCT 2017) Adversaries may also modify the <code>*\template</code> control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation: Ciberseguridad Decoding malicious RTF files) This technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template Injection July 2017)(Citation: ryhanson phishery SEPT 2016)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-10-17T00:14:20.652Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may create or modify references in user document '
'templates to conceal malicious code or force authentication '
'attempts. For example, Microsoft’s Office Open XML (OOXML) '
'specification defines an XML-based format for Office '
'documents (.docx, xlsx, .pptx) to replace older binary '
'formats (.doc, .xls, .ppt). OOXML files are packed together '
'ZIP archives compromised of various XML files, referred to as '
'parts, containing properties that collectively define how a '
'document is rendered.(Citation: Microsoft Open XML July '
'2017)\n'
'\n'
'Properties within parts may reference shared public resources '
'accessed via online URLs. For example, template properties '
'may reference a file, serving as a pre-formatted document '
'blueprint, that is fetched when the document is loaded.\n'
'\n'
'Adversaries may abuse these templates to initially conceal '
'malicious code to be executed via user documents. Template '
'references injected into a document may enable malicious '
'payloads to be fetched and executed when the document is '
'loaded.(Citation: SANS Brian Wiltse Template Injection) These '
'documents can be delivered via other techniques such as '
'[Phishing](https://attack.mitre.org/techniques/T1566) and/or '
'[Taint Shared '
'Content](https://attack.mitre.org/techniques/T1080) and may '
'evade static detections since no typical indicators (VBA '
'macro, script, etc.) are present until after the malicious '
'payload is fetched.(Citation: Redxorblue Remote Template '
'Injection) Examples have been seen in the wild where template '
'injection was used to load malicious code containing an '
'exploit.(Citation: MalwareBytes Template Injection OCT 2017)\n'
'\n'
'Adversaries may also modify the <code>*\\template</code> '
'control word within an .rtf file to similarly conceal then '
'download malicious code. This legitimate control word value '
'is intended to be a file destination of a template file '
'resource that is retrieved and loaded when an .rtf file is '
'opened. However, adversaries may alter the bytes of an '
'existing .rtf file to insert a template control word field to '
'include a URL resource of a malicious payload.(Citation: '
'Proofpoint RTF Injection)(Citation: Ciberseguridad Decoding '
'malicious RTF files)\n'
'\n'
'This technique may also enable [Forced '
'Authentication](https://attack.mitre.org/techniques/T1187) by '
'injecting a SMB/HTTPS (or other credential prompting) URL and '
'triggering an authentication attempt.(Citation: Anomali '
'Template Injection MAR 2018)(Citation: Talos Template '
'Injection July 2017)(Citation: ryhanson phishery SEPT 2016)',
'external_references': [{'external_id': 'T1221',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1221'},
{'description': 'Microsoft. (2014, July 9). '
'Introducing the Office (2007) Open '
'XML File Formats. Retrieved July 20, '
'2018.',
'source_name': 'Microsoft Open XML July 2017',
'url': 'https://docs.microsoft.com/previous-versions/office/developer/office-2007/aa338205(v=office.12)'},
{'description': 'Wiltse, B.. (2018, November 7). '
'Template Injection Attacks - '
'Bypassing Security Controls by '
'Living off the Land. Retrieved April '
'10, 2019.',
'source_name': 'SANS Brian Wiltse Template Injection',
'url': 'https://www.sans.org/reading-room/whitepapers/testing/template-injection-attacks-bypassing-security-controls-living-land-38780'},
{'description': 'Hawkins, J. (2018, July 18). '
'Executing Macros From a DOCX With '
'Remote Template Injection. Retrieved '
'October 12, 2018.',
'source_name': 'Redxorblue Remote Template Injection',
'url': 'http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html'},
{'description': 'Segura, J. (2017, October 13). Decoy '
'Microsoft Word document delivers '
'malware through a RAT. Retrieved '
'July 21, 2018.',
'source_name': 'MalwareBytes Template Injection OCT '
'2017',
'url': 'https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/'},
{'description': 'Raggi, M. (2021, December 1). '
'Injection is the New Black: Novel '
'RTF Template Inject Technique Poised '
'for Widespread Adoption\u202fBeyond '
'APT Actors\u202f. Retrieved December '
'9, 2021.',
'source_name': 'Proofpoint RTF Injection',
'url': 'https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread'},
{'description': 'Pedrero, R.. (2021, July). Decoding '
'malicious RTF files. Retrieved '
'November 16, 2021.',
'source_name': 'Ciberseguridad Decoding malicious '
'RTF files',
'url': 'https://ciberseguridad.blog/decodificando-ficheros-rtf-maliciosos/'},
{'description': 'Intel_Acquisition_Team. (2018, March '
'1). Credential Harvesting and '
'Malicious File Delivery using '
'Microsoft Office Template Injection. '
'Retrieved July 20, 2018.',
'source_name': 'Anomali Template Injection MAR 2018',
'url': 'https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104'},
{'description': 'Baird, S. et al.. (2017, July 7). '
'Attack on Critical Infrastructure '
'Leverages Template Injection. '
'Retrieved July 21, 2018.',
'source_name': 'Talos Template Injection July 2017',
'url': 'https://blog.talosintelligence.com/2017/07/template-injection.html'},
{'description': 'Hanson, R. (2016, September 24). '
'phishery. Retrieved July 21, 2018.',
'source_name': 'ryhanson phishery SEPT 2016',
'url': 'https://github.com/ryhanson/phishery'}],
'id': 'attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:28.862Z',
'name': 'Template Injection',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Michael Raggi @aRtAGGI',
'Brian Wiltse @evalstrings',
'Patrick Campbell, @pjcampbe11'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.4'}