Coronavirus Credential Theft

In this attack, an attacker is impersonating a university’s “health team” to trick victims into clicking a malicious link with updates on coronavirus which leads to a landing page that will steal their credentials.

Quick Summary:

  • Platform: Office 365
  • Mailboxes: Between 10,000 and 20,000
  • Email Gateway: None
  • Email Security Bypassed: Office 365
  • Victims: Staff and Students
  • Payload: Malicious Link
  • Technique: Brand Impersonation

What was the attack?

  • Setup: This attack leverages the uncertainty around the spread of COVID-19 and the recent news of universities cancelling classes, moving them online, or shutting down entirely. The attacker knows that students and staff are likely highly attuned to any news about a university’s response to the outbreak, and thus are more likely to engage with an email about it.

  • Email Attack: The attacker created an email that looked as though it was coming from a university’s board of trustees and ostensibly directed users to a page with updates on the attack from the university’s “health team”.

  • Payload: The URL written in the email does not match the actual URL to which recipients were directed. This URL led to a page made to look like an Office 365 login page. Presumably, the attacker hoped that a victim would be flustered enough by the supposed update to come to assume that they’d been inadvertently logged out of their Office 365 instance and enter their credentials here.
  • Result: This attack was an attempt at stealing user’s credentials.

Why is this attack effective?

  • Urgency: As universities are cancelling classes or shutting down their campuses, students and staff will be paying close attention to any news from their universities, and this email, which supposedly comes from the university’s “health team” is perfectly positioned to take advantage of the need for up-to-date information.
  • Impersonated authority: The attacker is impersonating the university board of trustees’ health team in this email, appealing to an authority that students and staff will want to turn to for more information. This might cause recipients to overlook certain red flags in this email that might have otherwise stopped them from opening it or clicking on links.
  • Concealed URLs: Although the written URL in the email was ostensibly to a university-run site with the latest updates from their health team, the actual link takes the recipient to what looks like a login page for Office 365. There, the attacker hopes that a victim – focused more on the outbreak than the oddity of running across this site and assuming they’ve been inadvertently logged out of their Office 365 account – will enter their credentials so the attacker can steal them.


Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Related content

Leave a Comment