More cybercriminals used object linking and embedding , or OLE packages , to deliver malware content during the first quarter of 2017 , according to cybersecurity technology and services company PhishMe Intelligence . The cyberthreat trend first was observed in December 2016 , closely associated to the delivery of the Ursnif botnet malware , PhishMe said . The OLE technique abuses Attack.Phishing Microsoft Office documents by prompting Attack.Phishing a victim to double-click an embedded icon to access some type of content . These objects are used to write a script application to the disk that facilitates the download and execution of a malware payload , PhishMe said . This method adds another set of techniques cybercriminals can use to evade anti-analysis and sandbox settings and to successfully infect computer systems , the company said . The threatening documents employ a similar look and feel to Microsoft Office documents using macro elements for malware delivery , but they do not feature the distinctive “ enable macros ” banner , PhishMe said . As a result , these documents defy the expectations for the delivery of malware that have been prominent in recent years . For example , a macro element can display icons or text that instruct a victim to “ enable editing ” in order to interact with a document and view content , but a document using the threatening OLE packages will not feature the characteristic yellow “ enable macros ” banner . The technique allows cybercriminals to deploy malicious files to a victim ’ s machine . Real and fake documents look similar , and the fake ones can fool Attack.Phishing even computer users who know what a macro looks like . A screen shot of the OLE Malware There are several reasons why these recent phishing campaigns Attack.Phishing distributing infected Microsoft OLE packages are particularly tricky Attack.Phishing to deal with , said Rohyt Belani , co-founder and CEO of PhishMe . “ First , because the malware is disguised as Attack.Phishing an unassuming Office document , threat actors can often use this technique to bypass the IT department ’ s sandbox environments , detection software or analysis tools that help identify malicious documents , attachments and links , ” Belani said . “ Second , since so many healthcare organizations rely on Microsoft Office applications to run their day-to-day business operations , security professionals can ’ t completely block Office documents entirely from e-mail systems . When technology layers fail and let these types of threats land in the inbox , there ’ s really one last line of defense to ensure these attacks don ’ t succeed – the employees themselves , Belani said . “ Humans , the end-users , are the linchpin for securing against attacks delivering sneaky payloads that easily bypass existing technology stacks , ” Belani said . “ We recommend healthcare CISOs seriously consider building strong phishing defense programs that transform employees into human sensors at the heart of the phishing defense strategy. ” Through behavioral conditioning , employees will become contextually aware of the e-mail content that enters their inbox , increasing their ability to recognize and report suspicious communications that very well may be phishing threats like OLE payloads , Belani said . “ By empowering employees to report suspicious e-mails directly to a healthcare organization ’ s security operations center , ” Belani added , “ this will drastically speed incident response capabilities to neutralize these threats before any major damage is inflicted . ”