Most recently, he said, those are very straightforward emails pretending to be from an electronic fax or email system, followed by invoices or financial transfer instructions.
When opened, the macros only activate when the user clicks on something in the document -- to see an enlarged version of a table, for example. That way, Epstein explained, they evade sandbox-based security.
Even if the user has macros disabled, they will regularly approve an override out of habit, he said.
"The weakest link, again, is us," he said.
The macro then installs a new piece of malware, usually the Dridex trojan, which quietly monitors the user's browsing history and steals banking credentials.
To battle this threat, Epstein recommends upgrading to the latest gateway security technology if the current system was installed more than a couple of years ago. And, in addition to initial protection, invest in targeted attack protection and threat response technologies, he added, for when malware does slip through.
Sign up for CIO Asia eNewsletters.