This attack requires a significantly higher amount of user interaction than normal payloads; the user must open the word document, double-click the OLE, and then click Run on the subsequent security warning. Typically, attackers using Microsoft Office documents use macros to infect machines, since it only requires users to click the Enable Macros button after opening the attachment. User awareness and training may protect against this, but technical controls should be implemented to further mitigate the risk. For example, email attachment scanning is a component of many email security software suites. Companies can also implement application allow-lists to prevent unauthorized executables from running.

In typical attacks, the initial infection is usually designed to gain a foothold on the network and pivot to more systems to cover as much of the environment as possible. However, this version of AstraLocker only infects the system in which the attachment was opened. Companies can protect against “smash and grab” style attacks like this by ensuring business-critical files are not stored on local machines and by building and maintaining a quick re-imaging process to expedite recovery.

Source:

https://www.bleepingcomputer.com/news/security/astralocker-20-infects-users-directly-from-word-attachments/