Sign in

Microsoft warns of COVID-19 phishing attack via Excel

By: Lisa Marlin

May 28, 2020


Microsoft is warning users about an infected Excel email attachment that can wreak major havoc when opened. The massive phishing attack started on May 12 appearing as emails from the Johns Hopkins Center with an Excel attachment that claims to be US deaths caused by the Coronavirus.

Once a user opens the infected Excel document and then “Enables Content,” the file downloads a macro and runs the NetSupport Manager Remote Administration Tool. While a legitimate support product, in this case, the tool is being used by the perpetrators to download malware on a targeted device and to execute commands on it remotely.

Microsoft tweeted, “The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines.”

Once notified of the phishing attack that claimed it came from the Johns Hopkins Center with the title “WHO COVID-19 SITUATION REPORT,” the Johns Hopkins Health Security Center tweeted a reminder and a warning of its own: “We don’t send attachments in our daily update. Pls double check email address of sender & don’t download files from unknown sources.”

What can you do?

Alert your employees about this latest phishing campaign and remind them (again and again) to be cautious before clicking any links or opening attachments from any source, even it appears to from a place such as Johns Hopkins.

“Whatever COVID ruse is being used,” KnowBe4’s Stu Sjouwerman warned, “your users will wind up with either infected workstations at the house or in the office, giving out personal information or unleashing ransomware on your network. Give them a heads-up that especially now they need to stay on their toes with security top of mind.”

PrivaPlan’s Michaela Kahn issued the same caution and suggested subscribing to PrivaPlan’s Managed Phishing Testing & Training. “This product helps you to educate your workforce about good email practices, cybersecurity, and real life threats,” she said, noting that you must have a private domain to use this service, i.e. no Gmail or Yahoo, etc. To query about a free test, and to receive a quote, contact her at mkahn@privaplan.com.