I personally investigated a real SOC incident where a simple USB folder triggered a VBScript worm.

The case study walks through: How legacy scripts and social engineering bypass modern defenses Browser shortcut hijacking for persistence Worm propagation via removable drives Indicators of Compromise Dynamic analysis with Any.run