Security researchers warn about a sneaky phishing campaign from one of the most creative cybercrime groups on the internet.
The phishing campaign was detected in early September. The malware was analyzed, and it was found that the malicious Excel files could bypass malware-detection systems because it contains “extremely lightweight” embedded macros, making it “particularly dangerous” for organizations that depend on detection-based security and sandboxing.
Macros, scripts for automating tasks, have become a popular tool for cyber attackers. While macros are disabled in Excel by default, attackers use social engineering to trick potential victims into enabling macros.
The MirrorBlast attack starts with a document attached to an email. It later uses a Google feed proxy URL with a SharePoint and OneDrive lure that poses as a file share request. Clicking the URL leads to a compromised SharePoint site or fake OneDrive site. Both versions lead to the weaponized Excel document.
The sample MirrorBlast email shows the attackers are exploiting the theme of company-issued information about COVID-related changes to working arrangements.
What to do?
Educate your staff to be your first line of defense and not to enable suspicious macros.
Look for:
Suspicious links
Incorrect or unexpected senders
Faulty grammar or spelling

What can you do when this happens to you?
If you find your network has been compromised, immediately shut down.
Identify the breach and type of virus or malware present.
Identify any data which might have been compromised or stolen and inform appropriate parties.
Rebuild the network from a known clean backup

Sources. Liam Tung
This new phishing attack features a weaponized Excel file | ZDNet