Threat actors are exploiting employee concerns about infected colleagues. Our latest example targets Office 365 accounts at a large Canadian company by falsely claiming a colleague has died from the virus.
We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic.
The email originates from a fake sender's address. In it, the potential victim is prompted to open the attached HTML file Corona_Virus_on_Site_Update_Monday%2003302020-pab.pdf.hTml#, an Office 365 phish meant to steal login credentials.
When the victim enters their information, a javascript code submits the credentials to a form receiver, which then sends the information to the server address http://tokai-lm.jp/style/89887cc/5789n.php?98709087-87634423
In an effort to provide additional legitimacy, the HTML file then sends the victim to the hacked website http://ozturkkilcadir[dot]com//wp-content/22323454-76878989/wrng.html.
This is not the first time we've seen spoofed Office 365 logins; it is, however, one of the first we've seen that exploits employee fears concerning their fellow coworkers having coronavirus. It serves as further evidence of threat actors taking advantage of corporate efforts to keep their employees safe and informed to compromise enterprises.
For more intelligence on COVID-19 threats, see our ongoing coverage.