Abnormal Attack Stories #11: COVID-19 Testing Malware

March 27, 2020

Abnormal Security

Abnormal Security

In this attack, malicious actors are claiming that the recipient has come into contact with someone who tested positive for COVID-19 in order to trick them into downloading an attachment containing malware.

Quick Summary:

  • Platform: Office 365
  • # Mailboxes: Between 20,000 and 50,000
  • Email Gateway: IronPort
  • Email Security: Office 365
  • Victims: Employees
  • Payload: Malicious Attachment
  • Technique: Impersonation

What was the attack?

  • Setup: As cases of COVID-19 continue to grow, most people are naturally worried about coming into contact with others who might have it already. This email attack plays right into those fears.
  • Email Attack: The email is simple enough: someone claiming to be from the Ottawa Hospital General Campus claims that the recipient has come into contact with a colleague, friend, or family member at their company who has contracted COVID-19, and requests that the recipient print the attached form and bring it with them to the nearest emergency clinic.
  • Payload: The attachment on this email is an XLSM files – an Excel file with macros that run automatically. These files are often used to spread malware, which is almost certainly the case here.
  • Result: Any recipients of this email who downloaded and opened this file would have installed malware onto their machine.

Why is this attack effective?

  • Urgency: This email plays into the worst fear of many during the coronavirus pandemic: that they may have come into contact with someone who has COVID-19. The email requests that the recipient complete the attached form and take it with them to the nearest clinic, ostensibly to be tested for the virus themselves. This is the type of message that would spur most people into immediate action, without thinking to check whether the email is real or not.
  • Impersonated authority: The attackers are impersonating authorities at the local hospital in order to lend their attack more credibility, and make it more likely that the email would be read by the recipient and the attachment would be downloaded and opened.
  • Targeted: This email attack includes information specific to the recipients, like the company where they work, to lend the message even more credence and make it less likely that the recipients will scrutinize the email for its authenticity.


Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Targeted Email Attack

(click to enlarge)

Techniques to Detect

(click to enlarge)

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

Related content

COVID-19-related attack deep dives

Like our article? Share our content