Microsoft: Beware of ‘Massive’ Excel, COVID-19 Phishing Scam

Microsoft is warning users that hackers are engaging in a massive phishing campaign using malicious Excel files and fake COVID-19 news that can give them access to computers.

Microsoft: Beware of ‘Massive’ Excel, COVID-19 Phishing Scam

Microsoft is warning users of a massive phishing campaign using malicious Excel files and fake COVID-19 news designed to install software that can allow hackers to take over end user computers.

In a series of Tweets earlier this week, Microsoft Security Intelligence said that the company is tracking a “massive campaign” that installs the legitimate remote access tool NetSupport Manager via emails with attachments containing malicious Excel files.

“The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments,” the company tweeted.

The emails are designed to take advantage of the constant stream of COVID-19 news and purport to come from John Hopkins Coronavirus Research Center, one of the leading institutions tracking and fighting the virus. The emails contain the subject line, “WHO COVID-19 SITUATION REPORT.”

The files open with a security warning and show a graph of supposed COVID-19 cases in the U.S.

“If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT,” Microsoft tweeted.

NetSupport Manager is a legitimate remote access tool, but it is also known as an effective hacking tool that lets attackers gain access to and run commands on compromised machines.

Microsoft Security Intelligence says those kinds of attacks using Excel 4.0 macros have been steadily increasing. In April, those campaigns “jumped on the bandwagon and started using COVID-19 themed lures.”

Hundreds of unique Excel files in these attacks use highly obfuscated formulas, but they all connect to the same URL to download the payload.

“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands,” Microsoft tweeted.

Microsoft provides more information about how the company prevents these kind of attacks on its security blog.

This article originally ran in CS sister publication MyTechDecisions. Zach Comeau is TD’s web editor.

Read More Articles Like This… With A FREE Subscription

Campus Safety magazine is another great resource for public safety, security and emergency management professionals. It covers all aspects of campus safety, including access control, video surveillance, mass notification and security staff practices. Whether you work in K-12, higher ed, a hospital or corporation, Campus Safety magazine is here to help you do your job better!

Get your free subscription today!


Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety Online Summit On-Demand Campus Safety HQ