The COVID-19 Email Attack Landscape

March 24, 2020

Abnormal Security

Ken Liao

As many have reported, the number of cyber attacks related to COVID-19 is spiking. Some researchers are reporting that COVID-19-related attacks represent the largest set of attacks on the same theme they’ve ever seen. 

This is part 1 of the 3-part series on COVID-19 and email attacks. Attackers are using fear and urgency of the COVID-19 backdrop as employees start shelter-in-place routines. These attacks are never-before-seen and being delivered to employee inboxes. Our 3-part series includes:

  1. Attack landscape (this blog): in part one, we discuss the landscape of attacks that are entering mailboxes, the traits of the attacks, and the goal of the attacker.
  2. Abnormal protection measures: in part two, we discuss the measures taken by the Abnormal Security detection platform to detect and protect against this new type of attacks.
  3. Reporting on COVID-19 attacks in the Abnormal portal: in part three, we discuss how customers can see and report on the attacks that Abnormal is detecting and preventing from hitting their employees’ inboxes with newly created filters.

In addition, in our COVID-19 Resources Center, see examples of actual attacks Abnormal Security has detected, along with a deep dive that dissects the attack facets being employed to engender fear, urgency, and engagement with the recipient.

The Overall COVID-19 Email Attack Landscape

COVID-19 and coronavirus email based attacks are increasing. The number of attacks seems to follow a similar exponential trend to the increasing number of cases, and coverage by the media. Below is a chart of the attack volume (numbers are shown on a normalized basis by week). 

Since these attacks are novel and never-before-seen, they’re being delivered to employee inboxes at organizations without advanced email protection like Abnormal Security, and are receiving a high rate of engagement from unsuspecting employees.

The majority of COVID based attacks are scams. The remainder consists of credential phishing and spam. Below is a chart of the different attack types (numbers are normalized as a percentage).

What techniques are these attackers using?

These attacks are taking many forms, and at the bottom of this post, we’ve collected Abnormal Security’s deep dives on several examples of these attacks we’ve observed in the real world. 

Most attackers are leveraging one technique to attempt to engage with recipients: impersonation. Attackers are impersonating trusted entities, like the CDC, university health task forces, or the Public Health Agency of Canada (amongst many others) to increase the likelihood that recipients will engage with their emails. These impersonation attacks come in two distinct flavors:

  • Compromised accounts: We’ve seen many attacks coming from compromised accounts. For example, Abnormal has seen compromised accounts from at least two major universities used to launch attacks on unsuspecting businesses (Abnormal has since notified the universities of these compromised accounts). These are especially dangerous attacks because they otherwise appear to be legitimate, and, depending on the kind of account compromised, can lend an air of authority to the messages they are including which can make it more likely for recipients to engage with these emails.
  • Spoofed accounts: Many attackers are registering legitimate-looking domains or spoofing email display names to trick users into engaging with their emails.

What is the goal of the attacker?

Attackers are using the techniques above for the following ends:

  • Credential Theft: Many of these attacks appear to be attempting to steal the recipients’ credentials. In many of the attacks detected and stopped by Abnormal, the attackers have included links to landing pages designed to look like the Office 365 login page, hoping that panicked or distracted victims will enter their credentials before they realize the landing pages are fake.
  • Scams: Some attackers are using (fake) news of a secret vaccine or other protection from COVID-19 and the novel coronavirus to attempt to engage with recipients and likely scam them out of 
  • Malware: Attackers are using malicious links within these emails to deploy malware on users’ computers. These links might look innocuous within the email, but the actual URL being linked to is different from the URL printed in the email. Some attackers are even registering official-looking URLs (like to leverage for these attacks.

In general, attackers are using fear, urgency, and time-sensitivity of COVID-19 to deliver targeted attacks that are being engaged with by employees. Especially as the workforce is entering a shelter-in-place mode, modern email security is required that stays ahead of the constantly evolving threat landscape. 

In part two of our three-part series, we provide an overview of Abnormal Security’s measures that protect employee mailboxes in the face of an ever-changing threat landscape.

Like our article? Share our content