According to researchers from Trend Micro and Dodge This Security the technique was used by a recent spam email campaign targeting companies and organizations in Europe, the Middle East and Africa. The emails' subjects were mostly finance-related, such as "Invoice" and "Order #," with an attached PowerPoint presentation.

[Image credit: Trend Micro]

The PowerPoint file has a single hyperlink in the center that says "Loading... please wait" that has an embedded malicious PowerShell script. When you hover your mouse pointer over the link, it executes the script. If you're running a newer version of Microsoft Office, though, you'll still need to approve the malware's download before it infects your PC.

That's because the more modern versions of the suite has Protected View, which will show a prompt warning you about a "potential security concern" when the script starts running. Just click Disable, and you'll be fine. However, older versions of the suite don't have that extra layer of security. The downloader can install a Trojan virus into your system to steal your credentials and bank account information the moment your mouse pointer hovers over the link.

[Image credit: Trend Micro]

The good news is that the spam emails died down back on May 29th after peaking on the 25th with 1,444 detections by Trend Micro. Still, it's better to steer clear of similar emails, since it's always possible that the campaign in May was just a test run for a bigger one.