Cyberattackers Ramp Up to 1.5M COVID-19 Emails Per Day

Research analyzing three months of coronavirus-themed attacks show cybercriminals adjusting threat levels to evolve with pandemic and typical employment trends.

Cyberattackers have reached a peak of sending 1.5 million malicious emails per day related to the COVID-19 pandemic over the course of the last three months, according to new research.

Research from Forcepoint analyzing coronavirus-themed attacks between Jan. 19 to April 18 found cybercriminals adjusting threat levels to evolve with pandemic and typical employment trends.

Researchers sifted through their telemetry for the keywords “COVID” and “corona” in URLs accessed directly over the web or embedded with an email, according to a blog post posted Tuesday by Stuart Taylor, senior director of X-Labs at Forcepoint.

They noticed that there was an “undercurrent of browsing requests to legitimate COVID- or coronavirus-themed URLs” beginning in mid-January, that related to either tracking sites set up to share data points or news websites, he wrote. This shows the public’s initial interest in the pandemic, and would have been the first alert to threat actors that a trend existed that could be exploited.

This activity peaked during the first two weeks in March as governments around the world began implementing lockdown efforts and employees began working remotely, according to the post. Not coincidentally, this is when threat activity began in earnest, Taylor noted.

“We saw a rise in unwanted emails (malicious, spam or phishing) containing embedded URLs using the keywords of ‘COVID’ or ‘corona,’ from negligible values in January 2020 to over half a million blocked per day the end-of-March onwards,” he wrote in the post.

During peak volumes, researchers dentified 1.5 million total COVID-related emails per day, signifying both legitimate and malicious traffic related to the current global crisis, according to Forcepoint.

Legit and Malicious Corona-Trends

Forcepoint researchers categorized the pandemic-related activity they observed in the three-month period in six ways: Legitimate web traffic, malicious web traffic, newly registered domains, legitimate email traffic, spam emails and malicious email traffic.

Each category showed specific activity trends, researchers noted. For example, public interest in COVID-19 in the form of legitimate web traffic started in January and then dipped in the three weeks following early lockdown measures in mid-March – possibly relating to so-called “news fatigue” and gradual understanding of the “new normal,” Taylor wrote. However, this activity picked up again last week.

In terms of malicious activity related to COVID-19, this began increasing noticeably in March, peaking around the middle of the month and waning as the pandemic entered the beginning of April. However, there have been spikes in malicious activity since the second week of the month that will likely continue, researchers said.

Email activity in particular has followed this trend in all three categories, Taylor wrote. Legitimate emails concerning COVID-19 ramped up in March, declined slightly, and then picked up again after the Easter and Passover holidays, he said.

Scammers also increased spam-email activity in mid-March to make adjustments to existing spambots, with more than half a million scams per day blocked by Forcepoint X-Labs from mid-March onwards, Taylor said. This trend also declined during respective periods of Easter and Passover, which is typical behavior.

Malicious email activity, like spam, also was significantly higher than normal during this period, researchers observed.

“Traditionally, the number of malicious emails seen per day through Forcepoint Cloud Email Security solutions are orders of magnitude less than the number of observed spam emails,” Taylor wrote. “The same can be said of COVID and coronavirus-themed malicious emails.”

The largest increase in malicious email activity happened in the week March 23, with a 35 percent increase in these types of emails over the final working day of the previous week, he noted.

“The first week of April saw a significant decline but the number of malicious emails has increased ever since,” Taylor wrote.

Researchers expect to continue to see a surge in COVID-19-related email- and Web-based attacks as the pandemic and lockdown efforts continue, he added.

A Pattern of Campaigns

Indeed, threat actors have taken good advantage of the coronavirus pandemic and people’s interest in information related to COVID-19, particularly through email- and web-based threats.

For instance, one recent campaign used socially engineered emails promising access to important information about cases of COVID-19 in the receiver’s local area. The mails evaded top email-detection software to spread malware stealing the user’s Microsoft log-in credentials.

Another spearphishing campaign used emails claiming to be from the World Health Organization to send an attachment that unleashes the infostealer LokiBot.

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.


Suggested articles

Insider Risks In the Work-From-Home World

Forcepoint’s Michael Crouse talks about risk-adaptive data-protection approaches and how to develop a behavior-based approach to insider threats and risk, particularly with pandemic-expanded network perimeters.

SASE & Zero Trust: The Dream Team

Forcepoint’s Nico Fischbach, global CTO and VPE of SASE, and Chase Cunningham, chief strategy officer at Ericom Software, on using SASE to make Zero Trust real.

Effective Adoption of SASE in 2021

In this Threatpost podcast, Forcepoint’s SASE and Zero Trust director describes how the pandemic jump-started SASE adoption.