Covid Report from Microsoft Phishing Attack - Abnormal Security

Covid Report from Microsoft Phishing Attack

In this attack, attackers impersonate a company’s Human Resources department by sending out a COVID-19 scan via a look-a-like Microsoft O365 email.

Quick Summary of Attack

  • Platform: Office 365
  • Mailboxes: Between 5,000 and 10,000
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

What was the attack?

The original message to the recipient appears to originate from the company’s internal human resources email. While this email looks to be a regular Microsoft O365 notification notifying the recipient that a document has been shared with them, the link embedded in the message leads to a phishing site.

The impersonated O365 email contains a document which poses as a PDF regarding a “Covid-19 Report.” The email includes the Microsoft logo in the footer, increasing the visual legitimacy of this message. The email also states that the file is secure and has been scanned for viruses, which may dupe the recipient into following the link. However, the link provided actually leads to a phishing page, not a PDF.

Payload: When clicking the link in the email, the recipient is presented with a page that appears nearly identical to that of the Microsoft login page and prompted to input their credentials. Although this appears to be the legitimate Microsoft login page, the URL ‘’ clearly has no relation to Microsoft. If the recipient were to input their login information, their credentials would be compromised by the attacker.

Why might this attack bypass existing email security?

In this attack, the attackers spoof an internal email domain which can be challenging to catch, especially if expertly done. The attackers also utilized a trusted brand, Microsoft, to deliver their phishing link. Abnormal Security prevented this attack by analyzing various attack signals that flagged this email as malicious. Key indicators were the impersonation of a known brand, Microsoft, the presence of a suspicious link, and a mismatch between the sender domain and the display name. 

Related content