chat
expand_more

Microsoft Impersonated to Deliver COVID-19 Phishing Attack

In this attack, attackers impersonate a company's Human Resources department and send a COVID-19 scan via a lookalike Microsoft Office 365 email. The original message to the recipient appears to originate from the company’s internal human resources email address.
February 26, 2021

In this attack, attackers impersonate a company's Human Resources department and send a COVID-19 scan via a lookalike Microsoft Office 365 email.

Summary of Attack Target

  • Platform: Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

Microsoft Impersonated in Phishing Attack

The original message to the recipient appears to originate from the company’s internal human resources email address. The email looks to be a regular Microsoft O365 notification, notifying the recipient that a document has been shared with them, but the link embedded in the message leads to a phishing site.

The impersonated O365 email contains a document that poses as a PDF regarding a "Covid-19 Report". The email itself includes the Microsoft logo in the footer, increasing the visual legitimacy of this message. The email also states that the file is secure and has been scanned for viruses, which may dupe the recipient into following the link.

When clicking the link in the email, the recipient is presented with a page that appears nearly identical to that of the Microsoft login page and prompted to input their credentials.



Although this appears to be the legitimate Microsoft login page, the URL 'googleusercontent.com' clearly has no relation to Microsoft. If the recipient were to input their login information to "view the document" that they just received, their credentials would be compromised by the attacker.

Why It Bypassed Existing Security Infrastructure

In this attack, the attackers spoof an internal email domain, which can be challenging to catch, especially if expertly done. The attackers also utilized a trusted brand—Microsoft—to deliver their phishing link, utilizing a very convincing email template and login screen. And because the Microsoft email leads to a Microsoft site, the attack relies on users simply inputting their password in order to see the COVID-19 report.

Abnormal Security prevented this attack by analyzing various attack signals that flagged this email as malicious. Key indicators were the impersonation of a known brand, the presence of a suspicious link, and a mismatch between the sender domain and the display name.

These signals, combined with a dramatic increase in COVID-19 phishing attacks, work together to inform us that this message is malicious. As a result, this message is blocked from inboxes before it can lead to compromised employee accounts.

Discover how Abnormal Security can stop brand impersonations and credential phishing emails for your organizations. Get started by requesting a short demo.

Microsoft Impersonated to Deliver COVID-19 Phishing Attack

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

 
Integrates Insights Reporting 09 08 22

Related Posts

B 1500x1500 MKT468a Open Graph Images for Phishing Subjects Blog
Discover the most engaging phishing email subjects, according to Abnormal data, and how to protect your organization from these scams.
Read More
B Threat Report BEC VEC Blog
Our H1 2024 Email Threat Report revealed significant year-over-year increases in both business email compromise and vendor email compromise. Learn more.
Read More
B 2 7 24 Product Update
Abnormal product enhancements improve detection efficacy, reporting on QR code attacks, productivity, and protection from account takeover.
Read More
B 1500x1500 Quishing Stats Blog 02 05 24
Today we released our H1 2024 Email Threat Report, which examines the threat landscape and dives into the latest evolution in phishing: QR code attacks.
Read More
B 1 30 23 Microsoft ATO
A recent nation-state actor attack by the Russian-backed threat group Midnight Blizzard infiltrated Microsoft. Discover how Abnormal can protect you from account takeovers in real time.
Read More
B Look alike Domain Tactics
Learn 6 common look-alike domain tactics, some of the ways attackers use look-alike domains, and steps you can take to reduce your risk.
Read More