TA542 typically sends out a massive number of phishing emails that tend to target multiple business verticals with some campaigns hitting over one million messages sent. They also took a bit of a break after law enforcement took down their infrastructure not all that long ago. Still, nature abhors a vacuum and TA542 was far from finished with their efforts as the new campaigns show.
What makes the new campaign different, aside from the low volume, is that there are no VBA macros inside the documents attached. Instead ProofPoint is seeing the use of OneDrive URLs that link to .zip files. These zip files contain a XLL (Microsoft Excel Add-in) files that execute the payload. As Microsoft previously announced they are planning to disable VBA macros this month (April 2022), the new attack style, without VBA, and the timing of the shift would seem to indicate that TA542 are looking at other deployment options.
More evidence that this run is part of a development testing cycle is that the group fixed a bug in their new deployment system that was preventing proper infection/compromise of the targeted system when the payload executed. As most test runs at the end of a development cycle include small test groups and bug fixes it stands to reason that this is what we are seeing from TA542.
Cybercrime is always going to be a game of cat and mouse with the threat actors usually one step ahead of the defenders. Observing development cycles is nothing new. It is good that these early stages have been seen so that proper steps can be taken to mitigate the risk of these new TTPs, but all in all it is nothing shocking. It is newsworthy, and something to take note of. As for precautions, well here the usual security first culture training, anti-phishing and spam tools and training along with good behavior-based antimalware should go a long way to help mitigate the risks of the new tactics observed.