The first attack vector is to let unsuspecting victims to download a .hta file from a compromised website. And this is due to the fact that there are vulnerabilities in MSHTML Platform Spoofing Vulnerability, known as
CVE-2024-38112Oof. At first I thought "Well, who uses Internet Explorer nowadays anyway" but then I stumbled across this nugget:
The Void Banshee group used similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Microsoft protocol handlers and URI schemes, including the MHTML (MIME encapsulation of aggregate HTML documents) protocol which was able to access Windows system-disabled Internet Explorer.
Only upside is that at least it appears to require some user interaction (i.e. executing the .hta file) for the exploit to be run.
And Microsoft doesn't seem to care unless you are an enterprise customer.
Bold of you to assume that Microsoft cares about its enterprise customers