Over the past week, several researchers have spotted a new phishing campaign called LightBot, which was normally used to distribute TrickBot's BazarLoader, has started installing a malicious PowerShell script instead.
LightBot phishing emails pretend to be from the sources such as the legal department notifying users about a customer complaint.
LightBot email contains a link to the Google Drive document. Clicking that link gets the user to the Google Docs page with a disabled preview, making the victim download the document.
The main function of the LightBot is collecting data about the victim's network to determine if they are high-value enough to be targeted in further campaigns.