The Emotet botnet has switched to a new template used by malicious attachments that pretend to be a Microsoft Office Activation Wizard.

When conducting spam campaigns, the actors behind Emotet will use malicious Word document templates that are designed to trick recipients into enabling macros in the document. Once these macros are enabled, a script will be executed that downloads and installs the Emotet Trojan and possibly other malware onto the recipient’s computer.

While the spam emails are still using a mix of reply-chain and direct emails pretending to be fake invoices, order confirmations, payment confirmations, and shipping issues, they have now switched to a new document template that pretends to be a Microsoft Office Activation Wizard.