The COVID-19 Email Attack Landscape

As many have reported, the number of cyber attacks related to COVID-19 is spiking. Some researchers are reporting that COVID-19-related attacks represent the largest set of attacks on the same theme they’ve ever seen. 

This is part 1 of the 3-part series on COVID-19 and email attacks. Attackers are using fear and urgency of the COVID-19 backdrop as employees start shelter-in-place routines. These attacks are never-before-seen and being delivered to employee inboxes. Our 3-part series includes:

  1. Attack landscape (this blog): in part one, we discuss the landscape of attacks that are entering mailboxes, the traits of the attacks, and the goal of the attacker.
  2. Abnormal protection measures: in part two, we discuss the measures taken by the Abnormal Security detection platform to detect and protect against this new type of attacks.
  3. Reporting on COVID-19 attacks in the Abnormal portal: in part three, we discuss how customers can see and report on the attacks that Abnormal is detecting and preventing from hitting their employees’ inboxes with newly created filters.

In addition, in our COVID-19 Resources Center, see examples of actual attacks Abnormal Security has detected, along with a deep dive that dissects the attack facets being employed to engender fear, urgency, and engagement with the recipient.

The Overall COVID-19 Email Attack Landscape

COVID-19 and coronavirus email based attacks are increasing. The number of attacks seems to follow a similar exponential trend to the increasing number of cases, and coverage by the media. Below is a chart of the attack volume (numbers are shown on a normalized basis by week). 

Since these attacks are novel and never-before-seen, they’re being delivered to employee inboxes at organizations without advanced email protection like Abnormal Security, and are receiving a high rate of engagement from unsuspecting employees.

The majority of COVID based attacks are scams. The remainder consists of credential phishing and spam. Below is a chart of the different attack types (numbers are normalized as a percentage).

What techniques are these attackers using?

These attacks are taking many forms, and at the bottom of this post, we’ve collected Abnormal Security’s deep dives on several examples of these attacks we’ve observed in the real world. 

Most attackers are leveraging one technique to attempt to engage with recipients: impersonation. Attackers are impersonating trusted entities, like the CDC, university health task forces, or the Public Health Agency of Canada (amongst many others) to increase the likelihood that recipients will engage with their emails. These impersonation attacks come in two distinct flavors:

  • Compromised accounts: We’ve seen many attacks coming from compromised accounts. For example, Abnormal has seen compromised accounts from at least two major universities used to launch attacks on unsuspecting businesses (Abnormal has since notified the universities of these compromised accounts). These are especially dangerous attacks because they otherwise appear to be legitimate, and, depending on the kind of account compromised, can lend an air of authority to the messages they are including which can make it more likely for recipients to engage with these emails.
  • Spoofed accounts: Many attackers are registering legitimate-looking domains or spoofing email display names to trick users into engaging with their emails.

What is the goal of the attacker?

Attackers are using the techniques above for the following ends:

  • Credential Theft: Many of these attacks appear to be attempting to steal the recipients’ credentials. In many of the attacks detected and stopped by Abnormal, the attackers have included links to landing pages designed to look like the Office 365 login page, hoping that panicked or distracted victims will enter their credentials before they realize the landing pages are fake.
  • Scams: Some attackers are using (fake) news of a secret vaccine or other protection from COVID-19 and the novel coronavirus to attempt to engage with recipients and likely scam them out of 
  • Malware: Attackers are using malicious links within these emails to deploy malware on users’ computers. These links might look innocuous within the email, but the actual URL being linked to is different from the URL printed in the email. Some attackers are even registering official-looking URLs (like to leverage for these attacks.

In general, attackers are using fear, urgency, and time-sensitivity of COVID-19 to deliver targeted attacks that are being engaged with by employees. Especially as the workforce is entering a shelter-in-place mode, modern email security is required that stays ahead of the constantly evolving threat landscape. 

What can organizations with newly remote workforces do to protect themselves?

These attacks are getting more and more sophisticated. Some attackers are even replicating entire homepages of banks on sites they control in order to trick users into divulging credentials or credit cards, for example. These attacks are also not being caught by traditional email security systems because they have few or no signals on which to detect threats. 

In addition to implementing modern, data science-based email security that can detect these email attacks and prevent them from hitting users’ inboxes, remote employees can protect themselves with some of the following tips:

  • Take a moment – do not act immediately on urgent requests. Attackers leverage urgency to trick victims into scrutinizing emails, attachments, or landing pages. Don’t fall into that trap, especially in times of high stress like the current global situation. Take a moment to assess the email, any links (before you click them), attachments (before you open them), and the text of the email itself.
  • Always double-check the URLs that you’re being directed to. Sometimes attackers will write one URL, but the actual link will take you to a page that they control themselves. Hover over links to see what the final URL destination is, and don’t click on it if it’s not somewhere you’d expect.
    • Some attackers have registered minor variations of real URLs to trick recipients, so it’s doubly important to scrutinize these URLs to ensure they’re real
    • Attackers will often replicate login pages for your email systems, like an Office 365 login page in an attempt to steal your credentials. When you see any page asking you to enter any kind of sensitive information, use extra caution. Verify the URL matches a known email system URL, verify that it’s encrypted with HTTPS (though just because it’s encrypted with HTTPS, it doesn’t meant that it’s a real login page), and verify that 
  • Verify requests with responsible parties (over a different medium than email, ideally) if you see a suspicious request. You should reach out to, say, your payroll manager to see if an email you received from them is actually valid. Attackers have sometimes compromised internal email accounts, too, so it’s ideal to use another method of communication if you can. Advanced email security systems like Abnormal can detect when internal accounts have been compromised, but if you don’t have an email system like that in place, use other means of verification before acting on requests or releasing sensitive information.
  • Research attacks so you know what to look out for. Abnormal has collected several attacks that we’ve caught, which you can see at the bottom of our COVID-19 Resources Center page. Although attacks are always changing, it’s helpful to understand what you might encounter.

Of course, the best defense against these attacks is an email security system that can detect these and prevent them from ever hitting the inboxes of employees in your organization. In part two of our three-part series, we provide an overview of Abnormal Security’s measures that protect employee mailboxes in the face of an ever-changing threat landscape.

Related content

Leave a Comment