Microsoft is warning Office users of a new malware campaign, called BazaCall involving fake subscriptions, fraudulent call centers, and a malicious Excel spreadsheet identified had human operated attacks and Ransomware deployments

The attack starts with an email, which tells a user they have come to the end of a free trial for a specific piece of software and that payment will be taken soon. The email also states payment details have already been provided and that the user has agreed to continue using the software.

Calling the number leads to a fraudulent call center where an operator tells the user to download an Excel spreadsheet using a link they provide. The file contains a malicious macro, which gets triggered when the user clicks “Enable Content” in the spreadsheet. This in turn leads to the BazalLoader malware being installed and used to download an additional payload.

Microsoft says that once the attackers have access they are stealing user credentials, Active directory databases, and can ultimately decide to infect the system with ransomware before demanding payment to unlock the encrypted data.

As the initial email doesn’t contain any malicious links or attachments, it’s difficult for security software to detect the threat. It’s the user who ends up doing the hard work for the attacker once they are on the phone following instructions. Microsoft 365 Defender’s cross-domain visibility allows endpoint signals to inform Microsoft Defender for Office 365 protections against the emails, ensuring comprehensive defense against this attack.

User has to be given a training on social engineering attacks and protection measures to prevent from been really spoofed.