With our inboxes, mobile alerts, TVs, and news updates to be all COVID-19 attackers know many are clicking without looking because stress levels are high and they’re taking advantage of that.
That’s why we’re seeing an increase in the success of phishing and social engineering attacks. Attackers don’t suddenly have more resources they’re diverting towards tricking users; instead they’re pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get us to click. Once we click, they can infiltrate our inboxes, steal our credentials, share more malicious links with coworkers across collaboration tools, and lie in wait to steal information that will give them the biggest payout.
Data released by Microsoft threat intelligence teams shows that COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to this pandemic. "This means we’re seeing a changing of lures, not a surge in attacks," said Rob Lefferts Corporate Vice President, Microsoft 365 Security. Microsoft's intelligence shows that these attacks are settling into a rhythm that is the normal ebb and flow of the threat environment:
- Every country in the world has seen at least one COVID-19 themed attack. The volume of successful attacks in outbreak-hit countries is increasing, as fear and the desire for information grows. Microsoft's telemetry shows that China, the United States, and Russia have been hit the hardest.
- The trendy and pervasive Trickbot and Emotet malware families are very active and rebranding their lures to take advantage of the outbreak. Microsoft has observed 76 threat variants to date globally using COVID-19 themed lures.
- Microsoft tracks thousands of email phishing campaigns that cover millions of malicious messages every week. Phishing campaigns are more than just one targeted email at one targeted user. They include potentially hundreds or thousands of malicious emails targeting hundreds or thousands of users, which is why they can be so effective. Of the millions of targeted messages we see each day, roughly 60,000 include COVID-19 related malicious attachments or malicious URLs.
- While that number sounds very large, it’s important to note that that is less than two percent of the total volume of threats Microsoft actively tracks and protects against daily, which reinforces that the overall volume of threats is not increasing but attackers are shifting their techniques to capitalize on fear. Attackers are impersonating established entities like the World Health Organization (WHO), Centers for Disease Control and Prevention (CDC), and the Department of Health to get into inboxes.
- In a single day, Microsoft's SmartScreen sees and processes more than 18,000 malicious COVID-19-themed URLs and IP addresses. .
Microsoft Office 365 Advanced Threat Protection prevented a big phishing campaign that used a fake Office 365 sign-in page to capture credentials. Roughly 2,300 unique HTML attachments posing as COVID-19 financial compensation information were caught in 24 hours in this one campaign. Microsoft expects to see more campaigns that utilize the economic fear from lost income, as governments widen the mandatory shutdown of their economies and stimulus funds begin to be issued in the U.S.
- Several advanced persistent threat and nation-state actors have been observed targeting healthcare organizations and using COVID-19-themed lures in their campaigns. Microsoft continue to identify, track, and build proactive protections against these threats in all of its security products.