Microsoft says an ongoing TA505 phishing campaign is using HTML redirectors for delivering malicious Excel documents. TA505 (also tracked SectorJ04) is a financially motivated cybercrime group active since at least Q3 2014. This is the first time Microsoft has observed this technique being used by TA505 as part of their attacks. The new campaign is detailed in a series of tweets from the Microsoft Security Intelligence account, with the researchers saying that the final payload is being dropped using an Excel document that bundles a malicious macro.
Source: https://www.bleepingcomputer.com/news/security/microsoft-detects-new-ta505-malware-attacks-after-short-break/