I've recently written a simple keylogger using classic DLL-injection technique. I wanted to simulate a real phishing attack where the user opens an Office document with macros and by enabling them he downloads and runs my keylogger. While the keylogger itself is not being recognized as a thread, the VBA script is.
I've searched for a similar question and I've only found questions about how to obfuscate metasploit/empire payloads. I've even tried some of them, but they all got recognized as a threat (I've used msfvenom shinkata as encoder).
I don't want to use any existing tools. I'd like to learn how Windows Defender recognizes that piece of VBA script as malicious. I've read that it uses both signature-based scanning along with runtime execution analysis. All bypassing techniques which I've found on internet tried to obfuscate code which in my understanding can only try to bypass the signature scanning part.
Environment: default Windows 10 configuration
Also if any of you know a way to force Windows Defender to tell me why it recognized my code as a threat (for example "use of unsafe function", etc) it would be super helpful!