By Ashley Tran, Cofense Phishing Defense Center
It’s no secret that the COVID-19 vaccine is being rolled out and met with extreme enthusiasm. Some companies are reaching out to their employees personally to gauge interest in receiving the vaccine or, in some cases, signing them up to get vaccinated. As we have noted in previous Cofense blogs, threat actors have taken note and are crafting attacks impersonating these legitimate communications. A user within the Cofense Phishing Defense Center (PDC) network suspected, and reported, a phishing campaign that is weaponizing the vaccination subject line in an attempt to steal Microsoft credentials.
The campaign’s phishing email originates from a compromised account. The user’s name and email are apparent; they’re not at all hidden or obscured. The use of compromised accounts to send malicious emails is a means of bypassing any SPF and/or DKIM checks that would only address spoofing.
The body of the email is formatted as a typical company communication that may seem familiar. Addressed to “All Employees” on the topic of a “COVID 19 Vaccine Interest Survey,” it’s an email that users would likely be expecting given recent news of vaccine roll-outs. The wording and context given for the email seem reasonable, too. The user’s company is supposedly trying to “obtain vaccination opportunities for staff,” and the enclosed survey is meant to gauge interest in receiving the vaccine. Following the “survey” link are additional details, presumably to add filler to appear more legitimate. There is also a deadline for completion, most likely to add urgency to the directive. Finally, the email is signed by the “Director of Human Resources.” However, there’s a glaring discrepancy in the signature name versus the actual sender’s name. This is a red flag users should look for and report.
Checking the survey link provided in the email, it can be noted that it’s wrapped by Cisco, the receiving organization’s security layer. Here, the text “surveymonky” has been wrapped. However, the actual link is embedded behind it, redirects to: