Pierluigi Paganini May 31, 2021

Hackers are attempting to exploit the return to the “new normal” after the governments are removing restrictions imposed in response to COVID-19.

The number of COVID-19 infections are decreasing in many countries and some governments are reducing the restrictions for their citizens. Workers are going back to offices after months of remote working and crooks are attempting to exploit the situation by conducting spear-phishing attacks against their organizations.

Researchers from Cofense Phishing Defense Center (PDC) uncovered a phishing campaign aimed at gathering login credentials from employees by posing as the Chief Information Officer (CIO). The messages pretend to provide information about changes to business operations the company is taking relative to the COVID-19 pandemic.

“The body of the email appears to have been sent from a source within the company, giving the company’s logo in the header, as well as being signed spoofing the CIO. By pretending to be an executive, the threat actor has sent a false newsletter explaining the new precautions and changes to business operations the company is taking relative to the pandemic.” reads the analysis published by Cofense.

The emails were crafted to steal company and personal credentials, they include a link to a fake Microsoft SharePoint page with two documents that outline new business operations.

Upon clicking on the documents, victims have displayed a login panel that prompts them to provide login credentials to access the files.

“Instead of simply redirecting to a login page, this additional step adds more depth to the attack and gives the impression that they are actual documents from within the company.” continues the analysis. “This is uncommon among most Microsoft phishing pages where the tactic of spoofing the Microsoft login screen opens an authenticator panel,” the report said. “By giving the files the appearance of being real and not redirecting to another login page, the user may be more likely to supply their credentials in order to view the updates.”

In other attacks observed by the experts, threat actors used fake validated credentials. The first few times login information is entered into the panel, victims will observe the error message, “Your account or password is incorrect.”

Then the victim will be redirected to an authentic Microsoft page in the attempt to trick them into thinking they’ve successfully accessed the files. This technique trick victims into believing to have provided the correct login information and he has access to the OneDrive documents. Unfortunately, the threat actor now has full access to the account owner’s information.

“As the world begins returning to normal, and as new standards are set in place, threat actors are certain to continue using every tool at their disposal to steal information from whomever they target. This campaign is another example of the types of attacks designed to compromise credentials and evade secure email gateways.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, COVID-19)

[adrotate banner=”5″]

[adrotate banner=”13″]