Threat actors have devised a new trick to disable macro security warning that leverage non-malicious docs in malspam attacks. Attack chain starts with a spam message using a Word document that once opened, downloaded a password-protected Microsoft Excel file from a remote server. Once the macros are written and ready, the Word document sets the policy in the registry to Disable Excel Macro Warning and invokes the malicious macro function from the Excel file. The Excel file downloads and executes the Zloader payload using rundll32.exe.”]
Source: https://securityaffairs.co/wordpress/119902/hacking/malspam-new-evasion-technique-macro.html