Threat Actor Utilizes COVID-19 Uncertainty to Target Users

ProofpointBy Kyle Duncan, Cofense Phishing Defense Center

As the world continues to contend with a tenacious pandemic, many employers are obliged to revisit medical-benefit policies. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Microsoft login credentials by posing as a company-wide sick/medical leave policy update.  

Figure 1-2: Email Body 

The sender’s email address is spoofed to appear as though the email is originating from the company’s SharePoint services by using the format “Sharepoint@.com“. However, one look into the email’s header information shows that this is not the case and that the email originated from outside of the organization, potentially from a compromised account operated by the threat actor. 

The email body itself is put together well and, at a glance, appears as though it could be legitimate. It even contains little details such as “This link will only work for anyone at ” and “Microsoft OneDrive for .” The threat actor has spoofed a legitimate Microsoft notification to appear legitimate, using a format the recipient would quickly trust at first glance. Since the file being shared refers to the company’s approach on sick leave during COVID-19, users are naturally going to be curious about what their company is doing for them. 

The glaring flaw with the email body is where it references both Microsoft OneDrive and SharePoint. Since the spoofed email address is attempting to trick the user into thinking this is a shared SharePoint file, it does not make sense for the email body to reference both of these services. It thus raises suspicion. The button users are intended to click also references OneDrive and, hovering over it, it reveals that the domain of the destination (oraclecloud[.]com) has nothing to do with Microsoft. It is apparent that this is not what it claims to be. 

Upon visiting the malicious URL, users are taken to a fake Microsoft login page as shown in Figure 3.  

Figure 3: Phishing Page 

The email address field of the login is automatically populated with the user’s email so they would only have to include their password. The page even includes the company’s logo to more effectively pass the login off as legitimate. Once the credentials have been secured, the user is then redirected to a page containing COVID-19 documentation, as seen in Figure 4, that seemingly appears relevant to what was mentioned in the email. While many phishing attempts redirect the user to a legitimate login page, the use of this document instead is another attempt to prevent the realization that the user’s credentials were just stolen.

Figure 4: Final Redirect Page 

Indicators of Compromise 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  

  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.