Threat Actors Continue to Leverage Pandemic Relief Plans

By Kyle Duncan, Cofense Phishing Defense Center

Threat actors continue to be a thorn in the side of business owners everywhere as evidenced in a recent phishing campaign observed by the Cofense Phishing Defense Center (PDC). With the effects of covid still disrupting lives and businesses, this campaign attempts to exploit anxieties of those anxiously awaiting government aid. Attackers pose as representatives of the United States Small Business Administration (SBA). By offering fake grant applications through illegitimate forms presented via Google Docs, these threat actors hope to sneak away with victims’ private information.

Graphical user interface, text, application Description automatically generated

Figure 1: Email Body

Figure 1 shows a suspiciously simple email that asks the recipient to submit a form to qualify for a government covid grant that will help their business. The threat actor uses the SBA logo to make the email appear legitimate, but there are some noticeable red flags. First, notice the domain of the sender ( This is not an official government email address, and the sender is not who they say they are. Looking at the actual body of the email, it should instantly puzzle a recipient who has received an unsolicited email from the government that offers a grant. At the bottom of the email the target is urged – in large, bold type – to download an attached PDF file to proceed.

Graphical user interface, text, application, email Description automatically generated

Figure 2: PDF Attachment

After downloading the PDF file seen in Figure 2, the target is presented with a relatively well-constructed document. There is a small paragraph about the grant program, and a “click to apply” hyperlink containing the shortened URL hXXps://bit[.]ly/3GPM2ud. One interesting thing to note is that the first phone number presented toward the bottom is a legitimate number for SBA customer service. Considering a phone call to that number would have verified to the target that this grant offer is fake, it can be assumed the threat actor included it just to make the message appear more legitimate at first glance.

Graphical user interface, text, application Description automatically generated

Figure 3: Phishing Page

Graphical user interface, application, Teams Description automatically generated

Figure 4: Phishing Page (cont.)

Upon clicking this link, they are sent to the Google Docs form located at hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLScZ4Uf8DtVWHgxggkzsbBHjCGU9NpGc6AGXpY5O2FWpo6Tv5Q/view form where they are asked a series of questions after two quick introduction paragraphs at the top. In Figure 3, the first few questions don’t ask for sensitive information. Scrolling down further on the form (Figure 4), the threat actor is attempting to acquire more sensitive information such as Social Security number and, eventually, bank account number and driver’s license information.

This threat is yet another example of how threat actors have utilized the pandemic to prey on unsuspecting victims. Disguised as enticing monetary relief, small business owners may hastily bite at this bait and share critical personal information. Threats such as this may vary in complexity; however, taking preventative actions such as verifying the legitimacy of unanticipated offers may head off a potentially critical compromise. Even with this threat being relatively simple, it still succeeded at landing in an inbox within an environment protected by a secure email gateway (SEG). Thanks to the careful eye of a well-conditioned user, Cofense was able to identify and contain the threat. Contact us to find out more, and how we can help your enterprise.

File Name: sba.pd
MD5: 7802d1fded5cc83bf2076c1b3490b3de
SHA256: 206f57d52ea0b0c8c9ab232bdf69b2dc96606bc59b4c2674fbf8fd7b35d0661f
File Size: 25289 bytes
Payload URL hXXps://bit[.]ly/3GPM2ud
IP Address
Payload URL hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLScZ4Uf8DtVWHgxggkzsbBHjCGU9NpGc6AGXpY5O2FWpo6Tv5Q/viewform
IP Address

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.


The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cryptocurrency and Exchange Phish Used to Steal User Information

By Aaron Leung, Cofense Phishing Defense Center

With the hype around cryptocurrency, threat actor exploits using this lure was a matter of time. Analysts at the Cofense Phishing Defense Center (PDC) have noticed a steady uptick in crypto-themed phishing campaigns. These campaigns replicate the crypto exchange domains and two-factor authentication (2FA) prompts. Threat actors are preying on emotions by flagging potentially unauthorized withdrawals from individual accounts.

Graphical user interface, application Description automatically generated

Figure 1: Email Body

Figure 1 shows the threat actor’s attempt at replicating an email from CoinSpot. It showcases to the recipient that there is a withdrawal pending confirmation for Bitcoin (BTC). Other than the obvious use of a Yahoo email address by the threat actor, the design of this email is extremely convincing. The style appears authentic, and there is even a Bitcoin address included to add to legitimacy. The user is prompted to either confirm or cancel the withdrawal, but both links have the same SendGrid hyperlink. Once either option is clicked, the user is redirected to hXXps://birragzez[.]netlify[.]app/ which subsequently redirects to the phishing landing page.