Spear-phishing is quickly becoming the most popular technique for hacking high-value targets. The SingHealth hack was suspected to be due to spear-phishing as well. HR is obviously most at risk, as they need to review resumes which can come as PDF or Word document.
The lawsuit notes the company determined that it was likely the same group of attackers responsible for both intrusions. Verizon also told the bank that the malware the attackers used to gain their initial foothold at the bank in the 2017 breach was embedded in a booby-trapped Microsoft Word document.
Source: Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M — Krebs on Security