Such attacks mainly target employees on corporate networks, because in large companies, colleagues always exchange a lot of textual information. When such a file gets to the user, it does not attract attention to itself, even antiviruses cannot detect it. After opening, a URL-link is generated, through which hackers quietly install the software they need.
Proofpoint experts suspect hackers from India, China and Russia in such attacks.