Qbot mostly used one of three email methods: malicious links, malicious attachments, or more recently, embedded images.
In the recent attacks via weaponized Excel documents, the attack used a VBA macro to create a new macrosheet and write Excel 4.0 formulas into its cells. So, blocking the VBA support in MS Office could prevent this attack even if the Excel 4.0 macros were enabled.
In the year 2021, the attackers started using non-active URLs to avoid detecting malware via detonating URLs in the sandbox. So, the user had to write the URL manually in the web browser to continue the infection. In the recent attacks, the malicious URL was displayed as an image embedded in the document.
See also:
Multiple Qakbot campaigns that are active at any given time prove that the decade-old malware continues to be many attackers’ tool of choice, a customizable chameleon that adapts to suit the needs of the multiple threat actor groups that utilize it. Since emerging in 2007 as a banking Trojan...
www.microsoft.com