As workers begin to return offices following the COVID-19 vaccine roll out hackers are launching new campaigns to take advantage of this turn of events.

This follows previous attacks that sought to take advantage of the interest in the COVID-19 virus at the height of the pandemic. Workers going back to their usual place of work has created  opportunity for scammers, who have launched a new phishing campaign targeting workers returning to offices.

The new attacks claim to be sent from the organizations Chief Information Officer to advise the staff in relation to new protocols and processes that have been devised to assist the returning workers avoid any possibility of infection. They appear to have been only broadcast internally in the organization, and even include the logo of the group and what looks like a signature of the CIO. There is a URL included that advises recipients to visit (a Microsoft SharePoint page) to view/download two documents in relation to this – a COVID-19 information sheet and an implementation letter that lists steps that the company has implemented as a result of the guidance from the Centers for Disease Control and Prevention (CDC), World Health Organization (WHO), and local health bodies.

While the majority of phishing attacks attempt to bring recipients of emails to a phishing form to collate Office 365 credentials, this campaign goes one step further in that phish is only initiated once the link is clicked on. When this is done, a fake Microsoft login prompt pops up and details must then be shared in order to access the files. Once the details are handed over, a message appears informing the staff member that their account or password is incorrect, and they must enter it again before they are finally brought to a genuine Microsoft page and are given access to the documents on OneDrive. This means that there is no clear indication that credentials have been phished.

This COVID-19 phishing campaign, like many others launched during the pandemic, feature. In this case, the emails have been excellently compose and have been written for individually-targeted groups, making them appear authentic and likely to trick lots of people. It remains unknown what the cybercriminals are aiming to do with the stolen data once it has been collected. They could be used to harvest lots of protected data held within Office 365 email accounts, would allow the cybercriminals to establish a footing in the corporate network for a more extensive compromise, or they could be sold for a profit to different cybercriminal collectives.

The best tactic for dealing with this level of threat is to using an advanced spam filtering solution like SpamTitan. With SpamTitan implemented, phishing attacks like this will be spotted and dealt with at the gateway so that employee are not being relied on to prevent the databases being infiltrated.

Contact the TitanHQ team now in order to enhance your security posture and tackle the dangers of cybercriminal attacks for your organization.