Watch out for emails claiming to offer a “COVID-19 bonus.” According to Microsoft, a pair of hackers has been using the term to trick business employees into handing over access to their email accounts.
On Tuesday, the company detailed the phishing attacks, which have been attempting to take over Microsoft Office 365 accounts from business users across 62 different countries.
Microsoft has been observing the hacking group’s phishing scams since December; they initially involved generic business subject lines, such as “Q4 report — Dec 19.” However, in recent weeks, the duo has been exploiting the pandemic to manipulate users into opening their malicious emails, including use of the term “COVID-19 bonus” on links or files attached to the emails. “Once victims clicked on the deceptive links, they were ultimately prompted to grant access permissions to a malicious web application,” wrote Microsoft corporate vice president Tom Burt in a blog post.
The malicious web application tries to look like a legitimate product from Microsoft. For instance, the hackers named one such app “0365 access.” The same app also doesn’t attempt to ask you for your login or password.
Instead, it tries to trick the victim into signing off on some powerful privileges, including the ability to read emails over their Office 365 account, and to even change the mail settings.
Making the scheme look even more legitimate is how victims will be first sent to the official Microsoft 365 login page before they’re redirected to grant permissions to the malicious app.
If the victims falls for the trap, the phishing attack can then pave for what’s called “business email compromise” schemes, in which the hackers can trick a company’s staff into wiring large sums of money to them. The same access can also give the attackers the ability to view sensitive company information.
According to Microsoft, the pair of anonymous hackers sent millions of phishing emails, largely directed at chief executives and senior managers in both the private and public sector.
To stop the attacks, Microsoft filed a lawsuit to seize control over six internet domains the hackers have been using to host their malicious web applications. On Tuesday, the US District Court for the Eastern District of Virginia granted the company control of the six domains.
The phishing scheme is a reminder to be careful around suspicious third-party apps; if they ask for powerful permissions, you may want to avoid installing them.