Amazon customers were targeted in a massive spear phishing campaign where recipients received Microsoft Word documents with a macro that triggered downloads of the Locky ransomware. Researchers at Comodo Threat Research Labs say it is one of the largest spam ransomware campaigns this year.

Fatih Orhan, director of technology at Comodo and the Comodo Threat Research Labs, said the attack occurred on May 17 and lasted about 12 hours and is estimated to have pushed out as many as 30 million spam messages purporting to be an update from Amazon on a shipping order. Orhan told Threatpost the spear phishing campaign is notable not just because of its size, but also because the attackers were able to manipulate the email header to trick users. This method would be detected by controls on email gateways with sender policy framework (SPF) enabled.

The wave of malicious messages was also spotted by researchers at Proofpoint, who put the estimate of fake Amazon messages at 100 million emails. Proofpoint said the Locky ransomware attack was spread from the U.S. to European email servers and included the malicious Word document attachment but also Locky-laced JavaScript attachments.

Orhan said everything about the email header appeared legitimate to the email recipient, Orhan said. According to Comodo researchers the spam campaign recipients received emails from auto-shipping@amazon.com, with the subject, “Your Amazon.com order has dispatched (#code).” The body of the email messages was blank however with only a malicious Microsoft Word document attached to the message body. Those who opened the Word document were prompted to enable macros to view the document’s contents. Next, recipients who enabled the macros had the Locky ransomware download, install and encrypt files.

The Locky ransomware email campaign is not unique and is something security firms have been documenting since the beginning of 2016. Security researchers at Trustwave reported in March a huge spike in the Locky ransomware being distributed via a spam campaign with the payload delivered via JavaScript attachments. The Amazon ransomware attack also follows another trend when it comes to a resurgence in the use of Microsoft Office macro attacks.

According to Palo Alto, macro attacks are on the rise. “We suspect that macro-based attacks are experiencing a resurgence from the late 1990s. There are a whole new pool of victims that don’t remember how dangerous macros were and are learning the hard way to never trust macros unless sent from a 100 percent reliable source,” said Ryan Olson, researcher at Palo Alto Networks in an interview with Threatpost last week.

Comodo Threat Research Labs said the Amazon spam campaign involved spam Botnets running on hijacked virtual machines and from consumer PCs. Ransoms ranged on average between 0.5 to 1 bitcoins ($227 to $454 USD) for the email recipients of the ransomware.

“This group of unknown actors demonstrated a high level of technical email forging capabilities, especially when it comes to domain name forging,” Orhan said. “The recipients that would get these emails had no clue that this email was not from Amazon.” He said that the email campaign, while targeting Amazon customers, did not exclusively use emails of just Amazon customers and that the wave of spam hoped to entice any user to click on the Word attachment.

When asked if Amazon customers had reported incidents of this attack, Amazon did not return Threatpost’s request for comment. Comodo Threat Research Labs said there is no way to tell how many people may have fallen victim to the combo ransomware spam attack.