A Polish language phishing campaign was discovered by Cofense targeting users with DHL-themed emails. The email messages contained XLS attachments used to run malicious macros. The attached spreadsheet entices users to enable macros. If successful, the macros subsequently check to ensure the target system uses the Polish language and, if so, downloads and executes a VBE script. A payload is then repeatedly requested from a remote server and each response is executed as a separate PowerShell script. Upon establishing a connection with the C2 server, PowerShell commands are issued to the host to gather information about the victim host. The scripts downloaded from this C2 server include one that checks anti-virus and then establishes persistence via both the registry and a startup shortcut, one that downloads a DLL (without executing it), and one that execute the previously downloaded DLL. In one case observed by the researchers, this final payload was the Ursnif malware.