Top Email Protections Fail in Latest COVID-19 Phishing Campaign

An effective spoofing campaign promises users important information about new coronavirus cases in their local area, scooting past Proofpoint and Microsoft Office 356 ATPs.

Threat actors continue to capitalize on fears surrounding the spread of the COVID-19 virus through a surge in new phishing campaigns that use spoofing tactics to effectively evade Proofpoint and Microsoft Office 365 advanced threat protections (ATPs), researchers have found.

The Cofense Phishing Defense Center (PDC) discovered new phishing attacks that use socially engineered emails promising access to important information about cases of COVID-19 in the receiver’s local area, according to a blog post published Tuesday by Cofense researcher Kian Mahdavi.

The emails evade basic security checks and user common sense in a number of ways, to circumvent detection and steal the user’s Microsoft log-in credentials, he said. They also don’t include specific names or greetings in the body of the messages, suggesting they are being sent out to a broad target audience, according to Cofense.

“While these secure email gateways (SEGs) are designed to safeguard end users from clicking on malicious links and attachments, both failed in a new phishing attack we recently observed,” Mahdavi wrote in the post.

To evade detection by ATPs, the threat actor impersonates the domain splashmath[.]com –which is an online learning game for children — using a spoofed IP address located in the United States, 167[.]89[.]87[.]104. Upon further examination, however, the emails — sent to a number of people — didn’t come from the spoofed address, but rather an IP corresponding with the Lithuanian city of Kaunas (a situation that also points to a single individual being behind the campaign, the researcher said).

“[Because of the proxy], the email slipped past basic security checks, such as DKIM and SPF,” Mahdavi wrote.

DKIM, or DomainKeys Identified Mail, is a standard meant to ensure that the content of your emails remains trusted and hasn’t been tampered with or compromised. SPF, or Sender Policy Framework, hardens DNS servers and restricts who can send emails from a given domain. Both were developed to prevent domain-spoofing.

Once the phishing emails get past the Proofpoint and Microsoft Office 365 ATPs, the actor spoofs the sender email address and uses keywords in the subject to trick the targeted victim into believing the emails come from a trusted source of information regarding COVID-19.

For instance, the words “WHO” and “community” in the email address (who[.]int-community[.]spread@ splashmath[.]com) aim to fool the user into believing the World Health Organization (WHO) is sending the email, Mahavi wrote.

The subject of the email – “HIGH-RISK: New confirmed cases in your city” — also is designed to trick users into thinking the message will offer vital information legitimately related to the novel coronavirus, he said.

“[This subject], followed by the spoofed WHO email address and display name, thus [make] it appear as if the sender is really from the World Health Organization,” Mahavi wrote.

The email’s message also is socially engineered to take advantage of the current obsession with information about COVID-19, luring users by urging them to click on “Read on” to find out about cases in their local area.

Users may click on the words expecting to be directed to a link that would include updated documents by the WHO with that kind of information, the researcher said.

“However, the user is actually directed to a Microsoft branded credential phish to steal their Microsoft log-in information,” Mahavi wrote.

Malicious links used in the campaigns observed by Cofense include:

hXXps://heinrichgrp[.]com/who/files/af1fd55c21fdb935bd71ead7acc353d7[.]php
hXXps://coronasdeflores[.]cl/who
hXXps://www[.]frufc[.]net/who/files/61fe6624ec1fcc7cac629546fc9f25c3[.]php
hXXps://pharmadrugdirect[.]com/who
hXXps://ee-cop[.]co[.]uk/who/files/3b9f575dac9cc432873f6165c9bed507[.]php

These links also are deceptive to users in that they each show a “high-quality, spoofed Microsoft login page” once accessed, Mahavi wrote.

Once a user clicks on one of these malicious redirects, his or her email address is attached within the URL of the webpage, which means the individual’s username automatically appears in the login box.

“Upon logging in, the user is under the impression he or she has been authenticated into a legitimate Microsoft website,” he said. “At this point, the user’s credentials are unfortunately in the hands of the threat actor.”

This latest campaign is one of many new cyber-attacks that has been created by threat actors and used in the last month as the spread of COVID-19 turned into an official pandemic and governments around the world began implementing lockdowns of local populations and businesses.

In addition to using promised information from the WHO to lure users in phishing emails, attackers also have been targeting  the organization itself, with cyber-attacks on WHO doubling since the COVID-19 outbreak, officials said. In one recent attack, the DarkHotel APT group was blamed for trying to infiltrate WHO networks to steal information about coronavirus testing or potential cures.

Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.