These emails aren’t from these companies at all, they are just being used to make the email look more genuine. The company itself may not have any knowledge of this email and it’s link(s) or attachment as it won’t have come from their servers and IT systems but from an external bot net. Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment. Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts.”]
Source: http://sanesecurity.blogspot.com/2015/03/marflow-your-sales-order-611866xls.html