Coronavirus phishing: "Welcome back to the office..."

Coronavirus phishing: “Welcome back to the office…”

As offices start to slowly open back up, the theoretically post-pandemic world is changing its threat landscape once again, and that includes the likely inclusion of coronavirus phishing attempts. With the move to remote work, attackers switched up their tactics. Personal devices and home networks became hot targets. Organizations struggled with securing devices remotely, rolling out VPNs, and forming best practices for potentially sensitive work done outside the office environment.

And hey, don’t forget the trend of using work devices for personal use. The gradual blurring of lines between work and personal use is an understandable one given how 2020 panned out. Even so, it introduces an aspect of risk that many organizations perhaps weren’t dealing with previously.

Office, work from home (WFH), or…both?

Now that a lot of the office space has gone virtual and might not go back to being fully on-site, we’re all left holding our breath. It’s impossible to predict how the post COVID-19 work landscape will fit together. A hybrid approach seems most likely, with time split between office and home. Full office attendance or 100 percent WFH seems unlikely, and perhaps not actually possible for some roles.

With this in mind, attackers will have to keep thinking up the best ROI for schemes which are able to take on said hybrid workers with maximum efficiency.

For now, we have an opening salvo of “welcome back to the office, here’s a phish we’d like you to click”.

“The office is re-opening! Please read the newsletter…”

Employees are now indeed being targeted with “back to the office” missives. Found by Cofense, the mail claims to be an [EXTERNAL] email notice from the CIO, welcoming people back to the office as they update their “business operations”.

A simple yet effective tactic. Many organisations will likely be sending similar messages over the coming weeks and months. In fact, this could be more effective where companies don’t have regular COVID status updates going out by mail. In places where regular comms and instructions are dispensed, this will perhaps stand out. A curious employee won’t think “Oh, it’s not our bi-weekly update from our official pandemic information source. This seems peculiar”. They may perhaps go down the “Wow, it’s the boss! We’re back in the office” route instead.

From there, it’s a short step to “I’ve just handed my credentials to this fake Microsoft portal”.

Taking action against the pandemic chancers

There’s a few ways to try and defend against this type of attack.

If an organization doesn’t have any sort of plan for COVID updates, they should really consider it. Narrowing down the scope for “Who sends this” to one specific mailbox/individual potentially makes it a target, but that’s preferable to a fake COVID update coming from any number of random employees.

There’s also other ways to get across COVID updates, like group calls or status updates in other weekly/monthly team meetings. Considering how many Zoom calls everyone has had at this point, there shouldn’t be any problem dropping these updates into overall messaging.

A combination of mailed and spoken comms, alongside other systems like Intranet portals containing the latest advice, should go a long way to keeping the Covid scammers out. For now, be on your guard against mails making bold promises regarding office activity. While many of us can’t wait to get back, that’s exactly what these phishers are banking on.