COVID-19 Back-to-Work Phishing - Abnormal Security

COVID-19 Back-to-Work Phishing

In this attack, scammers impersonate an internal company memo about when the company will return to the office, using this to steal employees’ credentials.

Quick Summary

# Mailboxes: 10,000-100,000
Email Security Bypassed: G Suite
Victims: Employees
Payload: Attachment
Technique: Impersonation

What was the attack?

Setup: With many employees forced to work from home because of the COVID-19 pandemic, this attack features a new phishing scheme around returning to the office. Despite (or perhaps because of) the rise in COVID-19 cases, companies are providing status updates to their employees on the dates office are expected to reopen and employees can return to working there.

Email Attack: The email is disguised as an automated internal notification from the company as indicated by the sender display name. But the sender’s actual address is ‘news@newsletterverwaltung.de’, an otherwise unknown party. Further, the IP originates from a blacklisted VPN service that is not consistent with the corporate IP. This indicates the sender is impersonating the automated internal system. The email is sent to a specific employee requesting a call back with an attachment and text that make it seem like the recipient has received a voicemail.

Payload: The email contains an HTML attachment containing the recipient’s name, which encourages the recipient to open it. By clicking on the attachment, the user is redirected to a SharePoint document with new instructions on the company’s remote working policy. Underneath the new policy, there is text that states “PROCEED WITH ACKNOWLEDGEMENT HERE”. Clicking on this link redirects the user to the attack landing page which is a form to enter the employee’s email credentials.

Result: If the recipients fall victim to this attack, the login credentials for their email account will be compromised, and the attackers will gain access to sensitive corporate and personal information. Although there is an explicit message telling those who fall on this landing page that they should never give out their passwords, there may be some number of recipients who still fall victim to this attack.

Why is this attack effective?

Urgency: This attack utilizes growing concerns regarding company safety protocols during the COVID-19 pandemic. This email sets a short deadline for when employees must acknowledge that they have received this message and complete the form. 

Convincing email and landing page: The attacker attempts to impersonate the company’s internal messaging system and HR department. Employees are more likely to provide credential information to others within their organization.

Related content