Published 18 Jun 2020

New phishing campaign offers COVID-19 relief payments

Researchers at Abnormal Security, an email-based security company, have detected a new phishing campaign aimed at UK businesses using the popular Microsoft 365 productivity suite.

The new campaign seeks to imitate genuine messages about the UK Government’s Small Business Grants Fund, which offers a one-off cash grant of £10,000 to eligible small businesses to support them through the coronavirus crisis. The emails have so-far arrived at thousands of businesses, and the attackers are clearly looking to take advantage of the concerns of struggling business owners, some of which may be less cautious than usual when apparently being offered government support.

The attackers also take advantage of the Dropbox Transfer feature to distribute the COVID-19-Relief-Payment.PDF file, allowing it to bypass many of the usual security features. The Abnormal Security researchers explain the significance of this:

“This is a sophisticated attack because, by using Dropbox Transfer to send files, it is not necessary to spoof headers since the sender name will come from the legitimate Dropbox domain. Not only does this bypass traditional mail filters but it also goes undetected by any existing web proxy and firewall controls. This is also extremely convenient for attackers because they can send the payload without ever having to verify if the targeted network is allowing an inbound SMTP or testing firewalls/proxies.”

On opening the PDF file, instead of information about the relief scheme, the target is told that the document has been sent over One Drive, the cloud storage element of Microsoft 365. On clicking the link in the PDF file, the user is redirected to a page asking them to log into Microsoft 365. This page is actually a Google Form document, however, and any login details that are entered are immediately compromised, thus giving the hackers access to everything available to that account, such as emails, documents, databases, and so on.

The campaign follows the recent trend of cybercriminals preying upon people’s fears and concerns about the coronavirus in order to get them to unwittingly give up authentication details or install a piece of malware. Nevertheless, there are various warning flags, such as the redirection through two different cloud providers and the Microsoft login being hosted on a Google site. The attack will also fail to achieve its end when an account is further secured through multifactor authentication, where additional means are employed to validate users, such as a code from an authenticator app running on a mobile device.

At Pro-Networks, we can provide a range of office IT support services to help minimise your company’s exposure to threats like these. For example, we can take over the administration of your Microsoft 365 subscription, such as by adding and removing users when needed and ensuring their accounts are secured. We can also help by securing other aspects of your company’s systems and providing cybersecurity training, so your employees will have the knowledge they need to identify potential cyberattacks and react appropriately.


Most cybersecurity professionals no...

Astronomical number of phishing rep...

Are home workers at risk due to sec...