Recently, Microsoft has announced that they identified a cybercrime operation leveraging multiple methods to infect employee workstations with IcedID malware. The methods include a modified Zoom “standalone” installation that embeds malware in the Zoom client, as well as malicious Excel files with Excel 4.0 XLM macros, and abusing contact forms on legitimate websites to send messages to employees, TheRecord reports. These attackers use automated scripts that fill out contact request forms with a set message template, most frequently a copyright claim. These contact request forms are emailed to site owners and contain a link to download a document which employees are instructed to view. However, the document contains macros that download and execute IcedID, a credential stealer that can be used to load other malware, such as Cobalt Strike. Microsoft warns that when the threat actors have interactive access to the compromised workstations through Cobalt Strike, they can use that access to move laterally, take over servers, and deploy ransomware across an enterprise.

Fig 1.1, an example contact form found on a legitimate website