Macro malware embeds malicious VBA code in Office documents — when enabled by the victim, the macro downloads and executes additional malware. Common phishing payload.
"Enable Content" prompt is the macro execution gate. Disable macros by default (Group Policy). AMSI (Antimalware Scan Interface) scans macro code at runtime. Most Office phishing attachments use macros or exploits targeting unpatched Office.