https://isc.sans.edu/forums/diary/Malspam+with+links+to+Word+docs+pushes+IcedID+Bokbot/25640/

But first I’ll start with a poetic satire of “A Visit from St. Nicholas” by Clement Clark Moore

Twas the week during Christmas, when all through the net
malspam was spreading, as if on a bet.

Windows and Office were run without care
in hopes that malware would never get there.

Sysadmins weren’t patching as well as they could be,
’cause IT procedures made updates untimely.

When what to our mailservers did soon appear?
Twas emails with Word docs and macros so clear!

They slipped past our mail filters as they all came,
recipients were varied, the subjects the same.

With code full of exploits and great obfuscation,
those messages made it to many workstations.

One person was foolish and opened the Word doc,
enabling macros because, why the heck not?

His laptop infected, the malware spread quickly.
Got to the DC, the server became sickly.

Provided a backdoor throughout all their networks,
with full admin rights and some privileged perks.

The criminals were happy, their eyes shining bright.
They had a great Christmas that cold winter night!