Once an end user opens the attachment, they are prompted to enable Macros.
CTAs utilize social engineering to trick end users into opening malicious Microsoft Word or Excel attachments included in Malspam emails. Macros are often used by cyber threat actors (CTAs) to obfuscate the delivery of malicious payloads. These instructions are compressed into a smaller form, which when used, are decompressed into the original instruction details. Macro instructions (macros) are a set of rules or instructions used to automate repetitive or complex tasks.
One such legitimate part of an application is macro instructions.
An examination of the characteristics of these malware variants revealed that they often abuse legitimate tools or parts of applications on a system or network. These specific malware variants have traits allowing them to be highly effective against State, Local, Tribal, and Territorial (SLTT) government networks, consistently infecting more systems than other types of malware.
The MS-ISAC observes specific malware variants consistently reaching The Top 10 Malware list.