Phishers Leverage Fake Coronavirus Alert to Steal Users’ Office 365 Credentials


Threat Alert

Phishers Leverage Fake Coronavirus Alert to Steal Users’ Office 365 Credentials

David Bisson

Digital attackers are leveraging fake alerts concerning the coronavirus outbreak in an attempt to steal users’ Office 365 credentials.

An Outbreak of Scams in Your Local Area

Discovered by AppRiver, the phishing campaign masquerades as an alert from the Centers for Disease Control and Prevention (CDC), the leading national public health institute in the United States. The email informs recipients that the CDC had detected new cases of their city. The scammers then instruct the recipient to visit a website for the purpose of learning about these cases and avoiding “potential hazards.”

Not surprisingly, the alert contains some awkward wording in its body text:

"The Centers for Disease Control and Prevention (CDC) continues to closely monitor an outbreak of a 2019 novel coronavirus (2019-nCoV) in Wuhan City, Hubei Province, China that began in December 2019. CDC has established an Incident Management System to coordinate a domestic and international public health response. Updated list of new cases around your city are available at ( ) You are immediately advised to go through the cases above to avoid potential hazards."

Not surprisingly, clicking on the website doesn’t send users to a website of new coronavirus cases in the United States. (CDC has its own link for that purpose.) Instead, the link leads users to a phishing landing page that attempts to steal their Office 365 credentials.

A Proliferation of Coronavirus-Themed Scams

AppRiver says in its analysis of the attack that it expects to see additional malicious activity from digital criminals capitalizing on the fear surrounding the coronavirus outbreak. Presented below are just a few of the other coronavirus-themed attacks that have already emerged in the weeks following AppRiver’s discovery.

Coronavirus-themed spam targets Japanese users with Emotet

IBM X-Force discovered a campaign that targets users with emails informing them of new coronavirus cases in the Gifu, Osaka and Tottori prefectures. These emails instruct users to open an attached Microsoft Word document in protected mode. Upon enabling content, the document’s obfuscated VBA macro script uses PowerShell to secretly download Emotet.

Many of the campaign’s emails include a footer containing a postal address, phone number and fax number. This tactic adds a sense of legitimacy to the campaign for the purpose of tricking even more users into opening the malicious attachment.

Partly as a result of the campaign described above, Emotet retains its top spot on Check Point’s monthly “most wanted” malware list in January 2020.

short time later, IBM X-Force spotted a similar campaign leveraging fears surrounding the coronavirus to spread samples of the Lokibot trojan family.

Random coronavirus-themed phishing attacks

In early February, Kaspersky Lab revealed that its security products had spotted several files pertaining to the coronavirus. These files arrived as malicious PDFs, MP4s and Microsoft Word documents. Their names imply that the files contain coronavirus detection techniques, protection instructions and/or threat developments. In reality, the files leverage various types of malware including trojans and worms to prey upon concerned users.

The Russian security firm detected these malicious samples as Worm.VBS.Dinihou.r, Worm.Python.Agent.c, UDS: DangerousObject.Multi.Generic,, Trojan.WinLNK.Agent.ew, HEUR: Trojan.WinLNK.Agent.gen and HEUR: Trojan.PDF.Badur.b.

Another fake CDC alert with a twist

Just a few days after its discovery described above, Kaspersky spotted another phishing email that claimed to originate from the CDC. This email says that it originates from the website “,” a fake domain created by scammers in order to masquerade as the U.S. public health institute. With this disguise in place, those responsible for the campaign ask recipients to support ongoing coronavirus research efforts by donating to a bitcoin wallet under their control.

This isnn’t the only ruse of its kind. In early February, the U.S. Securities and Exchange Commission (SEC) revealed that it had spotted several online promotions in which publicly traded companies claim that their products or services can prevent, detect or cure the coronavirus.  (Check Point also came across many of those types of promotions.) Most commonly, these promotions take the form of “research reports.” In response, the SEC urges consumers to stay clear of these investment frauds and to not hand over their money to suspicious organizations/actors.

A spike in pharmacy spam produced by coronavirus fears

Imperva spotted two different types of spam campaigns in which malicious actors were attempting to capitalize on the coronavirus outbreak in order to make a profit. In the first type of attack, nefarious individuals use comment spamming to inject content into comments on a specific site. This injected content consists of URLs linking to shady drug-selling businesses.

For their second campaign type, malicious actors use a comment on a random site to redirect users to a hijacked neutral site disguised as a coronavirus information resource. The hijacked site even includes a real-time map of the virus’s outbreak at the time of discovery. That being said, the purpose of the site is purely to send users to a notorious online drugstore.

Additional malware campaigns involving a coronavirus lure

Kaspersky Lab isn’t the only security firm that has discovered several malware samples attempting to capitalize on the coronavirus. Indeed, Cisco Talos also spotted its fair share of campaigns. For instance, its researchers observed one phishing email that supposedly notifies customers about the status of the coronavirus and enumerated the steps that its senders had taken in response. This email arrives with a malicious .zip archive that contains a PDF executable. Upon execution, this file installs the Nanocore RAT on the system.

Cisco Talos also discovered a malicious sample named “new infected CORONAVIRUS sky 03.02.2020.pif” during its open-source investigation. Upon further investigation, its researchers determined that this file actually loads up Parallax. This RAT achieved persistence shortly after execution by creating links in its victim’s startup folder and creating scheduled tasks.


Fake coronavirus-themed safety measures issued by WHO

SophosLabs discovered a phishing email that masqueraded as correspondence from the World Health Organization (WHO). The message instructs recipients to click on a button in order to learn what safety measures they could take to protect themselves against the coronavirus. In actuality, the button leads recipients to a compromised music site that renders the actual WHO page in an embedded frame. The campaign leverages this trick to convince users to supply their email login credentials. Upon providing their details, the campaign then redirects them to the actual WHO page.

In response to these and other campaigns, the WHO issued an alert warning consumers to be on the lookout for nefarious individuals posing as the organization.


Minimizing Coronavirus-Themed Spam with Robust Email Security

Organizations can help prevent nefarious individuals from preying on their users with coronavirus-themed campaigns by augmenting their email security defenses. One of the ways they can do this is by investing in a robust email security solution. This tool should be capable of analyzing suspicious emails for IP addresses, campaign patterns, URLs and other indicators that link it to known malicious campaigns. This solution should perform this analysis in real-time, thereby allowing legitimate pieces of digital correspondence to reach their intended destination.