Phishing Campaigns Mimic Microsoft Teams, HHS COVID-19 Vaccine Tracker
In recent weeks, two phishing campaigns were spotted actively spoofing Microsoft Teams and the other disguised as emails from HHS with information about a COVID-19 vaccine tracker.
Two impersonation-based phishing campaigns emerged in recent weeks, leveraging spoofing tactics to appear as legitimate emails. The most recent campaign masquerades as Microsoft Teams alerts, while the other is disguised as a COVID-19 vaccine tracker email from the Department of Health and Human Services.
For the Microsoft Teams impersonation attacks, Abnormal Security researchers found attackers are impersonating an automated message sent from Microsoft Teams to Office 365 users in an effort to steal the user’s login credentials.
The malicious emails display the message “There’s new activity in Teams,” appearing as an automated notification from Microsoft Teams that tells the recipient their teammates are trying to reach them on the platform and to click on the “Reply in Teams” link to contact them.
However, the link brings the user to a phishing page that “looks convincingly like a Microsoft login page with the start of the URL containing ‘microsftteams’, lending further credence.”
The emails contain two other malicious links: “Microsoft Teams” and “(Contact) sent a message in instant messenger.” Both of which will send the user to the impersonation Microsoft login page that asks the user to enter their username and password.
“Should recipients fall victim to this attack, their login credentials as well as any other information stored on their account will be compromised,” researchers wrote. “The attacker spoofed employee emails and also impersonated Microsoft Teams. The recipient is more likely to fall prey to an attack when it is believed to originate from within the company and also from a trusted brand.”
The attack is highly effective as Microsoft Teams is an instant messaging services, and users may likely click on the link to quickly respond to a missed message from a teammate.
Abnormal Security data shows the phishing campaign has already reached 15,000 to 50,000 mailboxes.
HHS COVID-19 Vaccine Tracker Emails
While the number of phishing emails tied to the COVID-19 pandemic have drastically reduced since March, hackers are continuing to leverage fears about the crisis in targeted emails. And the most recent campaign found by Abnormal Security is no exception, as hackers mimic HHS to install malware on employee devices.
In these impersonation attempts, the display name appears as “health & human services,” complete with HHS in the email signature to convince a user that the message was sent from a trustworthy source.
What’s more, the phishing emails are sent to all employees at a targeted organization and claims that the email attachment contains vaccine information from a trial, as well as where the individual can receive a vaccine nearby.
If a user opens the attachment, the attack payload is launched: a malicious .jnlp (Java Network Launching Protocol) file that facilitates the installation of malware.
“If the recipients fall for this attack, they are at risk of losing control of their device as well as allowing attackers to access sensitive personal and organizational information,” researchers explained. “The attached .jnlp file is a vehicle for the malware attack. These types of files are able to launch Java programs remotely and then install malware on the victim’s device.”
“When the file is run through VirusTotal, it returns as safe – these types of attacks are especially dangerous since they can bypass antivirus software,” they added. “The email attack preys on individuals’ concerns and inherent curiosity, making it more likely that they will engage with the attack.”
Notably, Abnormal Security found the phishing attacks bypass Ironport email security. So far, the campaign has landed in 50,000 to 70,000 inboxes.
As National Cyber Security Alliance Executive Director, Kelvin Coleman recently noted to HealthITSecurity.com, “Bad actors take advantage of crises. Hackers are being aggressive, leveraging targeted emails and phishing attempts.”
Phishing continues to be a popular attack method, given its success rate in the healthcare sector. In response, provider organizations should ensure they’ve implemented multi-factor authentication, which can ensure a hacker is limited in its attack – even with stolen credentials.
Further, as previously reported in JAMA, phishing education and training can drastically reduce cyber risk to provider organizations.
““The better users become at detecting spear phishing, the less likely the organization is to be compromised by an attacker,” Europol explained in its spear-phishing insights. “Board management influence is key in the creation and diffusion of prevention campaigns in order to make these initiatives more relevant to employees and consider them as a priority.”
“At the same time, more senior level staff often lack basic awareness of the dangers of spear phishing and, thus, are often themselves one of the primary targets,” they added. “An intuitive user experience, which makes it easy to flag suspicious emails and which warns the user of potentially malicious content, could significantly help users stay alert and make the right decisions when encountered with a phishing campaign.”