Attackers use the ActiveX control to automatically execute a malicious macro after a victim enables a document. Most documents held an image to convince people to enable the content. Doing this executed the malicious macro; however, the image also concealed an ActiveX control below it. The OSTAP downloader is hidden in white text so it's invisible to people but can be read by machines. Researchers report this technique will work only on Windows 10 devices.
"As newer features are introduced to a constantly updating OS, so too the detection vendors need to update their techniques to protect the system," according to the blog post. "This often creates very exhaustive and time-consuming work, which in turn can lead to the opposite effect of pushing defenders even farther behind the attacker." Trickbot attackers are taking advantage of this.
Read more details here.