Office 365 users that are returning to the workplace targeted with Coronavirus training resources

Pierluigi Paganini June 29, 2020

Experts are warning of a new phishing campaign aimed at Office 365 users that are returning to the workplace with Coronavirus training resources.

Threat actors continue to use Coronavirus lures adapting their technique to the current situation. The attack techniques adopted by the threat actors depends on the state of businesses in each region. In places where there are Coronavirus is still spreading, cybercriminal use COVID-19 lures. In other regions where the pandemic is under control, while people are returning to the workplace, threat actors are targeting them with messages providing employee coronavirus training resources.

“As businesses re-open, Coivd-19 continues to pose a threat so organizations are implemented testing programs and enforcing new workplace rules to prevent new infections. To prepare employees for this ‘new normal,’ many organizations have been carrying out webinars and short training courses to explain the restrictions and requirements.” reads the report published by CheckPoint.

“Criminals are ever alert to these new opportunities, so it’s no surprise that our researchers detected cyber criminals distributing phishing emails and malicious files disguised as Covid-19 training materials.”

The campaign is targeting Office 365 users, the spam messages include a link to register to the training: “COVID-19 Training for Employees: A Certificate for Health Workplaces.”

The link redirects users to a malicious page designed to trick them into providing their credentials.

CheckPoint researchers said that coronavirus-related attacks are decreasing–with an average number of around 130,000 attacks per week in June, a 24% decrease when compared to May’s weekly average.

Experts also observed new phishing campaigns using big breaking news events as bait, including the Black Lives Matter (BLM) movement.

“A prime example is the ‘Black Lives Matter’ movement.  In early June, as global protests reached their peak, we discovered a malicious spam campaign related to the movement. The emails distributed the infamous Trickbot malware as a malicious doc file typically named in the format, “e-vote_form_####.doc” (#=digit).” continues the report.

“The emails were sent with subjects such as “Give your opinion confidentially about ‘Black Lives Matter’”, “Leave a review anon about ‘Black Lives Matter’“ or “Vote anonymous about ‘Black Lives Matter’”.”

Upon opening the spam messages and clicking on the attachment, users are redirected to a page claiming to provide an Office update which actually links to two malicious URLs that load the Trickbot malware.

“We also previously reported that due to the increase in unemployment, there was an increase in CV-themed cyber attacks in the US and Europe where malicious files disguised as CVs.” concludes the report. “The number of malicious files identified doubled in the last two months with one out of every 450 malicious files being a CV-related scam.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Coronavirus)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment