Sophisticated COVID-19–Based phishing attacks leverage PDF attachments and SaaS to bypass defenses

Menlo Security has detected a sophisticated, multi-stage attack leveraging the current COVID-19 pandemic. Our data has shown that COVID-19–based attacks are much more successful than typical phishing attacks. The global pandemic is literally a life-or-death situation that is changing constantly, and people are trying to stay up to date with the latest developments. Cybercriminals have noticed and are adapting their attack techniques to take advantage of the heightened level of global anxiety.

The increasing success of COVID-19–related attacks is shown in Menlo Security’s data. From February 25 to March 25, 2020, our data shows a 32X increase in the number of successful daily attacks. The chart below shows the number of successful attacks using URLs that include the terms “COVID” or “coronavirus.” The data shows the number of successful attacks where people clicked on a malicious link and visited a malware or phishing site. There was an initial surge on March 11, the day the World Health Organization declared the outbreak a pandemic. The surge in successful cyberattacks continues and has yet to flatten. 

Typical phishing attacks are based on a single technique, and many security solutions have developed capabilities to detect and block these attacks. To increase their success rate, attackers have adopted multi-stage attacks leveraging email, PDF attachments, and trusted SaaS services. 

Menlo Security’s research team has identified a sophisticated COVID-19–based phishing attack that combines multiple techniques to bypass existing defenses. The attack was very well thought out and required upfront research and planning by the attacker. The goal of the attack was to steal the credentials of the targeted users. 

The attack targeted about 100 companies, mostly in Asia and a few in the U.S. The targets were large companies that operated over multiple geographies. It does not seem like the attack was focused on a particular industry. We expect the number of companies targeted to rise over time as the attacker learns from these initial phishing attacks and improves their technique. They are also likely to broaden their focus to countries where the COVID-19 pandemic has not yet peaked to take advantage of the global anxiety around the current pandemic.

The phishing attacks included the following elements:

• Personal email from the CEO communicating critical COVID-19 employee information.
  The attacker took the time to research the target organization and create a personalized email that was sent to the targets. Elements that were copied include the email footer and the general layout.
• PDF attachment with an obfuscated URL to bypass traditional security products.
  Rather than putting a link in the text of the email, an attachment was included with a shortened URL using a free short link service (Image 1). By including the link in the attachment, traditional email security products were unable to detect this attack. PDFs are also considered “safe” and allowed by most organizations.

Screenshot of PDF Document with Malicious URL

• Hosted form on a Microsoft service to steal logins and passwords.
  A real Microsoft service was used to host a form that prompted targets to enter usernames and passwords (Images 2 and 3). The use of a respected SaaS service rather than a fake URL gives the attack another way to evade traditional security products. Previous Menlo Security research has shown that enterprise SaaS-based attacks are becoming more prevalent, with 97 percent of these attacks using five well-known SaaS services.

Screenshot of Form Hosted on Microsoft Site

Screenshot of Form Hosted on Fake Microsoft Account to Gather Usernames and Passwords

This phishing attack was successful in bypassing existing security defenses and was very effective in getting people to click on the URL to go to the hosted form on the Microsoft service. From a user’s perspective, the experience feels totally normal, since they are already using Microsoft’s email and online storage services. The malicious malware form was hosted on a real Microsoft account to further the deception. 

Menlo Security believes that more sophisticated attacks such as the one described will increase in frequency. With the initial surge in COVID-19–related phishing attacks, the low-hanging fruit for attackers has already been picked. So we expect these attackers to evolve their techniques and combine multiple techniques for more effective campaigns. 

Security vendors will need to play catch-up to detect and stop these attacks. These are unprecedented times, and this is even more true for cybersecurity. As an industry, we are facing a deluge of new zero-day attacks we’ve never before seen, meaning there are no signatures, blacklisted URLs, or websites that can be referenced. The best way to solve this problem and protect organizations, in our view, is to leverage newer approaches such as isolation, because isolation has proven its efficacy in stopping these types of attacks.