Abnormal Attack Stories #4: Coronavirus Phishing Attacks

February 14, 2020

Abnormal Security

Abnormal Security

Quick Summary:

  • Platform: Office 365
  • # Mailboxes: Between 1,000 and 5,000
  • Email Gateway: MessageLabs
  • Email Security: Office 365
  • Victims: Internal Employees
  • Payload: Malicious Link
  • Technique: Brand Impersonation

What was the attack?

  • Setup: This attacker registered a new domain (cdc-gov.org) at the end of January from which they could send convincing-looking emails impersonating the CDC.
  • Email Attack: The attacker sent an email leveraging fear and uncertainty around the novel coronavirus. The subject of this email (“2019-nCoV: Coronavirus outbreak in your city (Emergency)”) was specifically designed to create a sense of urgency on the part of the victim, and the email itself encouraged victim to click a link to see what was purported to be a list of cases in their city.
  • Payload: The URL written in the email does not match the actual URL to which recipients were directed. This URL led to a page made to look like an Office 365 login page. Presumably, the attacker hoped that a victim would be flustered enough by the idea of outbreaks of coronavirus in their city to assume that they’d been inadvertently logged out of their Office 365 instance and enter their credentials here.
  • Result: This attack was an attempt at stealing user’s credentials.

Why is this attack effective?

  • Urgency: The novel coronavirus outbreak is, of course, of concern to many people, and this email leverages the urgency with the specificity that outbreaks are occurring in the recipient’s city. Many of the rest of the oddities of this email are dependent on the victim ignoring the oddities
  • Convincing domain: The attacker registered a domain (cdc-gov.org) specifically for this attack at the end of January. Young domains like this are typically indicative of an attack. But to someone unfamiliar with the real CDC domain (cdc.gov) and who may be reacting to the content of the email suggesting new cases near them, this email domain could look close enough to the real thing to assuage suspicions.
  • Concealed URLs: Although the written URL in the email was ostensibly to a CDC site listing cases in the recipient’s city. However, the actual link takes the recipient to a login page for Office 365, where the attacker hopes that a victim – focused more on the outbreak than the oddity of running across this site and assuming they’ve been inadvertently logged out of their Office 365 account – will enter their credentials so the attacker can steal them.

About

Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Targeted Email Attack

Payload

Techniques to Detect

Like our article? Share our content