Intercept-X not blocking excel macro trojans

Just to clarify, did you click on the Enable Content element? (if you haven't, don't)

In general - the macro won't run unless you enable content either by user action or by GPO. Exploit Mitigation only interacts at time of the macro being fired - so if macro content is not enabled then you wouldn't get to that filter. 

As for ML scanning, that doesn't scan office data files - only PEs (at this time)

The zip would also not be malicious in and of itself - so the scanner wouldn't block it unless we had a specific detection for the hash of that zip - we don't tend to do that sort of scanning on the endpoint for emails (we do for Downloads) since emails should be passing through some filter at the demarc. You stated your filter caught this file - which is good. 

So, if you manually pulled the file down onto an endpoint - you've bypassed the protection layers most likely to filter out the file by the zip hash. Extracting the zip won't trigger anything. Opening the document will only trigger if the macro is triggered on open and if that auto-run is enabled - which it isn't by default in Windows - so the macro shouldn't actually run until you click on Enable Content. Exploit Mitigation would only kick in at that point.

I write this all out to clarify the risk points at each stage of the defense in depth security approach here. This, however, doesn't give you peace of mind since what you actually want is a sense of assurance that this type of threat would be detected and prevented. Don't just run these files on your machines! instead, we have a file submission process that allows you to submit the file into our sandbox and we will do that for you. Contact support and they can set that all up for you.

Just to clarify, did you click on the Enable Content element? (if you haven't, don't)

In general - the macro won't run unless you enable content either by user action or by GPO. Exploit Mitigation only interacts at time of the macro being fired - so if macro content is not enabled then you wouldn't get to that filter. 

As for ML scanning, that doesn't scan office data files - only PEs (at this time)

The zip would also not be malicious in and of itself - so the scanner wouldn't block it unless we had a specific detection for the hash of that zip - we don't tend to do that sort of scanning on the endpoint for emails (we do for Downloads) since emails should be passing through some filter at the demarc. You stated your filter caught this file - which is good. 

So, if you manually pulled the file down onto an endpoint - you've bypassed the protection layers most likely to filter out the file by the zip hash. Extracting the zip won't trigger anything. Opening the document will only trigger if the macro is triggered on open and if that auto-run is enabled - which it isn't by default in Windows - so the macro shouldn't actually run until you click on Enable Content. Exploit Mitigation would only kick in at that point.

I write this all out to clarify the risk points at each stage of the defense in depth security approach here. This, however, doesn't give you peace of mind since what you actually want is a sense of assurance that this type of threat would be detected and prevented. Don't just run these files on your machines! instead, we have a file submission process that allows you to submit the file into our sandbox and we will do that for you. Contact support and they can set that all up for you.

What I wanted to point to with my initial post:

there are vendors who detect the file as malicious even before it had been uploaded it to Virustotal. Intercept-X with all it's supposted to be nextGen, Heuristics, EarlyDetection and whatever nice words someone created does not. This is something I find somewhat frustrating. It's not a 5$ give-away AV software..

Sophos is somewhere in the centre of the Leader Quadrant of Gartner EPP.

Maybe I take the time to really execute such a file on a test machine in the future.