Microsoft: Beware of ‘Massive’ Excel, COVID-19 Phishing Scam
Microsoft is warning users that hackers are engaging in a massive phishing campaign using malicious Excel files and fake COVID-19 news that can give them access to computers.
Microsoft is warning users of a massive phishing campaign using malicious Excel files and fake COVID-19 news designed to install software that can allow hackers to take over end user computers.
In a series of Tweets earlier this week, Microsoft Security Intelligence said that the company is tracking a “massive campaign” that installs the legitimate remote access tool NetSupport Manager via emails with attachments containing malicious Excel files.
“The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments,” the company tweeted.
The emails are designed to take advantage of the constant stream of COVID-19 news and purport to come from John Hopkins Coronavirus Research Center, one of the leading institutions tracking and fighting the virus. The emails contain the subject line, “WHO COVID-19 SITUATION REPORT.”
The files open with a security warning and show a graph of supposed COVID-19 cases in the U.S.
“If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT,” Microsoft tweeted.
NetSupport Manager is a legitimate remote access tool, but it is also known as an effective hacking tool that lets attackers gain access to and run commands on compromised machines.
Microsoft Security Intelligence says those kinds of attacks using Excel 4.0 macros have been steadily increasing. In April, those campaigns “jumped on the bandwagon and started using COVID-19 themed lures.”
Hundreds of unique Excel files in these attacks use highly obfuscated formulas, but they all connect to the same URL to download the payload.
“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands,” Microsoft tweeted.
Microsoft provides more information about how the company prevents these kind of attacks on its security blog.
This article originally ran in CS sister publication MyTechDecisions. Zach Comeau is TD’s web editor.
If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Related Content
Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century
This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!
