Payroll Malware - Abnormal Security

Payroll Malware

In this attack, attackers are posing as outsourced HR contractor informing employees of additional stimulus being provided to them and asking recipients to view the latest Payroll Report. The link to the “Payroll Report” contains a malware download.

Quick Summary

  • Platform: Office 365
  • Mailboxes: More than 50,000
  • Email Gateway: Proofpoint
  • Email Security Bypassed: Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

What was the attack?

  • Setup: This attack leverages changes in payroll many employees face due to the changing economic climate in response to COVID-19. The attacker takes advantage of growing concerns surrounding reduced paychecks and layoffs, as users are more sensitive to changes regarding their payroll. By crafting the attack to appear as “good news”, the user is more likely to trust the attacker and be susceptible to the attack.

  • Email Attack: This attacker impersonates an outsourced assistant for the target’s company, claiming that they are offering an additional bonus to the target’s payroll account. The link in the email redirects to a Google Document that hosts a second link to download malware.

  • Payload: The email contains a link to a fake payroll report hosted in Google Docs. This link hosts a word document file titled “Covid-19 ACH Payroll Report”, with a second link inside. The document claims that the report cannot be viewed on mobile devices, and that it can only be viewed via corporation desktop computers. However, this second link leads to a malware download.
  • Result: Should recipients fall victim to this attack, their operating system would be infected with malware, therefore allowing the attacker to steal sensitive personal information and potentially hijack the user’s corporate computer.

Why is this attack effective?

  • Urgency: This attack utilizes growing concerns regarding employee payroll during the COVID-19 pandemic. Users are likely to read this message, and rush to claim their supposed stimulus while ignoring obvious red flags along the way. Whether this is a result of greed or desperation, attackers are able to manipulate users into downloading harmful files.
  • Impersonation: The attacker impersonates an unknown third party, and claims to be an outsourced employee from the user’s company. The report itself impersonates an ACH Payroll Report.
  • Concealed URL: There are two URLs in this attack: the URL of the Google document, and the URL that hosts malware download. The URL of the Google document is present in the email, while the malware URL is wrapped with text inside the Google document. As the link to the malware download is not present in the email itself, this attack aims to bypass traditional domain-based detection systems.


Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Related content