COVID Email Scams Aren’t Going Away

The COVID-19 pandemic has defined our lives in 2020, leaving lasting markers on the physical and mental health of millions of people. As infections rose in March and April, cybercriminals jumped on this fear and uncertainty by **[weaving the pandemic into their email scams](**. In mid-April, Google’s Threat Analysis Group reported that they detected **[18 million](** COVID-19 themed malware and phishing emails per day. As 2020 labors to a close, COVID-based email attacks show no sign of waning.

At Armorblox, we have seen email attacks continue to exploit the fear and uncertainty around COVID. Some of these emails may be lazy one-offs that prey on the naive among us, but others are laser-targeted and expertly use the context around COVID to induce the required actions from their victims. In this blog, we will outline four representative email attacks that use COVID as a lure. If successful, these attacks could have potentially impacted tens of thousands of mailboxes within Armorblox customer environments alone.

## **1. IRS COVID Relief Phishing**


**Fig: Summary of the IRS COVID relief phishing attack**

### **Attack summary**

This email claimed to contain an important document about IRS COVID relief funds and included a link to view the document. Clicking the link led victims to a SharePoint form that they were told to complete before accessing the document. This form asked for email credentials along with other personal information such as social security numbers, driver license numbers, and tax numbers.

**[Visit this link ](**if you’d like to learn more about this credential phishing attack.


**Fig: Phishing email disguised as information about IRS COVID relief funds**

### Techniques used

* **Targeted email:** The email subject was ‘IRS Covid Relief Fund Update’ and the sender name was ‘IRS Covid Relief Funds’, both very specific and related to topics that elicit quick actions from victims.
* **Socially engineered:** Invoking the IRS is an ‘authority’ trigger meant to prompt quicker action from victims. The email language includes urgency triggers by talking about ‘important’ updates, and ends with a simple but effective request: asking victims to click the link if they want to view the document.
* **SharePoint compromise:** The phishing link led to a SharePoint form that belonged to an employee of the Reproductive Medicine Associates of Connecticut ([RMACT]( – it’s likely their account was compromised by attackers. Since the phishing link pointed to a legitimate SharePoint page, the email got past any email security filters designed to block known bad domains.


**Fig: Phishing page hosted on a compromised user’s SharePoint account**

## 2. IMF COVID Compensation Scam

### Attack summary

This email claimed that the recipient had been shortlisted for COVID compensation from [IMF]( The recipient was asked to reply to the email to solicit further details. While this email leverages COVID in an almost identical way to the IRS attack mentioned earlier in this article, that’s where the similarities end.


**Fig: Email scam disguised as COVID compensation news from the IMF**

### Techniques used

* **No phishing link:** This email asked recipients to reply and solicit further details about their IMF COVID compensation. Avoiding links enables this email to get past any security filters that inspect and block known/unknown suspicious links.
* **Email thread to increase legitimacy:** Attackers crafted an entire email thread and appended it to the scam email. This thread included the ‘IMF Director’ claiming that 125 beneficiaries had been shortlisted for IMF COVID compensation. The average user is likely to see this email thread and buy into the legitimacy of the conversation.
* **Targeted and socially engineered:** The email title is ‘Re: IMF Compensation’ followed by a reference number, which seems like the sort of title a legitimate email would have. The email also advises recipients to reply with their private email address. At first glance, this seems like the sender is being considerate and keeping business email matters separate; in reality, this is likely a reconnaissance exercise through which attackers can collect more information and build out profiles of their victims.
* **The ‘reply-to’ address differs from the ‘From’ address**, which is a common tactic used by cybercriminals to evade legacy security controls.


**Fig: A fake email thread was appended to the scam email for increased legitimacy**

## **3. COVID Test Results Scam**

### Attack summary

This email impersonated an automated message from a doctor’s office and claimed to contain the recipient’s COVID test results. Clicking the link for the test results attempts to install a malware-infected RAR file on the recipient’s system.


**Fig: Email scam disguised as COVID test results from the doctor’s office**

### Techniques used

* **Impersonation:** The sender name is ‘Doctors Support’ and claims to contain COVID test results. The email also mentions a nurse’s name and contact number to make the email seem legitimate.
* **Socially engineered:** The email subject is ‘Re: Notification your test results COVID-19’ followed by a reference number. Eagle-eyed observers will notice this subject has a missing ‘of’, but the attackers’ intent is to make the subject believable and urgent enough to make victims click before thinking. And COVID test results certainly fulfill that objective.
* **Signposting security:** The email body includes a password/PIN for accessing the attachment with the test results, lulling victims into a false sense of security.


**Fig: The payload for the COVID test results scam is a malware-infected RAR file**

## 4. SharePoint Impersonation

### Attack summary

This email impersonated an automated message from SharePoint and claimed to contain a file about COVID 19 requirements. Clicking the link for the document leads victims to a deceptive site hosted on AWS (the page has been taken down at the time of writing).


**Fig: Scam disguised as an automated SharePoint email containing a COVID requirements document**

### Techniques used

* **Impersonation:** The sender name is ‘Sharepoint Online’ and the email template mimics that of automated emails we get from our cloud office applications.
* **Exploit existing workflow:** This email inserts itself into a very common business workflow – employees receiving online documents from coworkers and taking action items accordingly – to pass the average user’s eye test.
* **Targeted and socially engineered:** The email subject is ‘FirstName COVID 19 Requirements’. This email personalization and the anxiety associated with seeing one’s name and COVID 19 in the same sentence is likely to make victims click before thinking.
* **Signposting security:** The email body includes a footnote that says the link will work only for the email recipient. Scam emails often pointedly use language in the email body about how secure the communication is, lulling victims into a false sense of security.

## **Guidance and Recommendations**

### **1. Follow 2FA and password management best practices**

Since all workplace accounts are so closely interlinked, losing access to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to your customers, partners, and loved ones. If you haven’t already, follow these hygiene best practices:

* Deploy two-factor authentication (2FA) on all possible business and personal accounts.
* Use a password manager to store your various account passwords.
* Don’t repeat passwords across accounts or use generic passwords such as your birth date, ‘password123’, ‘YourName123’ etc.

### **2. Subject sensitive emails to rigorous eye tests**

Whenever possible, engage with emails related to COVID in a circumspect and rational manner (I know this is easier said than done). Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (*e.g. why is the IRS asking for my SSN over email?*).

### **3. Create your own lines of authentication**

You should try to replicate 2FA, even if in a loose sense, for COVID-related email that expects an action from you. For example, did your doctor just email you test results in an attachment? Call or text the doctor and confirm that they sent the email. Even if they are very busy, they will understand and appreciate your caution.

### **4. Augment native email threat detection with additional controls**

To augment existing email security capabilities (e.g. [Exchange Online Protection]( for Office 365 or the [Advanced Protection Program]( for G Suite), organizations should invest in technologies that take a materially different approach to threat detection. Rather than searching through static lists and blocking known bad domains, these technologies should learn from custom organizational data and be able to stop socially engineered threats like payroll fraud, impersonation, and COVID-based email scams.


For more email security threat research, news, and industry guidance, sign up for email updates from Armorblox below. As you stay physically safe, please stay digitally safe too.