With much of the world now transitioned to virtual work, digital safety has become a key area of concern. This is not something security professionals, were given time to prepare for, yet many firms have been thrust into a new environment and challenged to respond quickly.
The threat intelligence teams at Microsoft are actively monitoring and responding to this shift in focus. Its data shows that these COVID-19 themed threats are rethreads of existing attacks that have been slightly altered to tie to this pandemic. This means that it is seeing a changing of lures, not a surge in attacks.
Microsoft’s intelligence shows that these attacks are settling into a rhythm that is the normal ebb and flow of the threat environment.
Here are some key trends:
Attackers are capitalizing on fear: Our inboxes, mobile alerts, TVs, and news updates are overflowing with information about COVID-19 and attackers know that everyone is overwhelmed with it. They understand that stress levels are high and there is a tendency to click without looking and they are taking advantage of that. As a result, we are seeing an increase in the success of phishing and social engineering attacks.
Increase in successful attacks: Every country in the world has seen at least one COVID-19 themed attack: The volume of successful attacks in outbreak-hit countries is increasing, as fear and the desire for information around Covid-19 grows. Microsoft’s telemetry data shows that China, the United States, and Russia have been hit the hardest.
Rebranding of lures: The trendy and pervasive Trickbot and Emotet malware families are very active and rebranding their lures to take advantage of the outbreak. We have observed 76 threat variants to date globally using COVID-19 themed lures. Our data shows that these COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to this pandemic. This means we are seeing a changing of lures, not a surge in attacks.
Phishing, malicious attachments & URLS: Every week, Microsoft tracks thousands of email phishing campaigns containing millions of targeted, malicious messages. Of these, roughly 60,000 include COVID-19 related malicious attachments or malicious URLs. It is important to note that the number is less than two percent of the total volume of threats we actively track and protect against daily, which reinforces that the overall volume of threats is not increasing but attackers are shifting their techniques.
More aggressive and agile attacks: In a single day, SmartScreen sees and processes more than 18,000 malicious COVID-19-themed URLs and IP addresses indicating that attackers are getting more aggressive and agile in the delivery of their attacks – using the same delivery methods but swapping out the malicious URLs on a more frequent basis in an effort to evade machine learning protections.
Targeting economic fear: Microsoft Office 365 Advanced Threat Protection prevented a big phishing campaign that used a fake Office 365 sign-in page to capture credentials. Roughly 2,300 unique HTML attachments posing as COVID-19 financial compensation information were caught in 24 hours in this one campaign. We expect to see more campaigns that utilize the economic fear from lost income, as governments widen the mandatory shutdown of their economies.
Impersonating established entities: Attackers are impersonating entities like the World Health Organization (WHO), Centers for Disease Control and Prevention (CDC), and the Department of Health to get into inboxes.
While phishing email is a common attck vector, it is only one of the many points of entry for attackers. Defenders need a much broader view and solutions for remediation than visibility into just one entry method. Defenders require visibility across each of these domains and automated correlation across emails, identities, endpoints, and cloud applications to see the full scope of compromise. Only with this view can defenders adequately remediate affected assets, apply Conditional Access, and prevent the same or similar attacks from being successful again.
