Categories: SecurityWorkspace

Microsoft Uncovers ‘Massive’ Pandemic-Themed Phishing Campaign

Microsoft has warned of a “massive” malware campaign that spreads via scam emails made to appear to have been sent by a major US health research institute.

The phishing campaign takes advantage of fears around Covid-19 and attempts to take control of users’ Windows systems, Microsoft said.

The pandemic-themed campaign began on 12 May and has used several hundred unique Excel attachments, making it more difficult to protect against.

Users receive a message claiming to have been sent by the Johns Hopkins Centre for Health Security, an independent organisation Johns Hopkins University in Baltimore, Maryland.

Image credit: Microsoft

Remote access

The university has become known for producing detailed maps charting Covid-19 cases.

The phishing email includes an Excel attachment containing pandemic data such as infection and death rates.

But the documents also prompt the user to allow macros to execute, and if allowed to do so the macros download and run a tool for gaining remote access to the system.

NetSupport Manager is a legitimate remote-access tool, but is often misused as a remote access Trojan (RAT) to gain illicit control over remote systems.

The tool downloads and installs further components on the system, including .dll, .ini and other executable files, a VBScript and an obfuscated PowerSploit-based PowerShell script, Microsoft said.

It also connects to a remote server, allowing attackers to issue further commands to the infected system.


“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload,” Microsoft said on Twitter.

The company said it has seen a “steady increase” in malicious Excel 4.0 macros in phishing campaigns over the past several months.

“In April, these Excel 4.0 campaigns jumped on the bandwagon and started using Covid-19 themed lures,” the company stated.

Microsoft also warned of a campaign spreading the Trickbot malware that also uses the pandemic as a lure.

The campaign, which began last week, uses emails claiming to offer a “personal coronavirus check”, Microsoft said.

In April Google said it was blocking 18 million Covid-19-related scam emails per day, and more than 100 million per week.

Security experts advise users to be wary of emails sent from unknown senders.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Microsoft Outage Impacts Airlines, Media, Banks & Businesses Globally

IT outage causes major disruptions around the world, after Crowdstrike update allegedly triggers Microsoft outages

40 mins ago

GenAI Integration Efforts Hampered By Costs, SnapLogic Finds

Hefty investment. SnapLogic research finds UK businesses are setting aside three-quarters of their IT budgets…

18 hours ago

Meta Refuses EU Release Of Multimodal Llama AI Model

Mark Zuckerberg firm says European regulatory environment too ‘unpredictable’, so will not release multimodal Llama…

19 hours ago

Synchron Announces Brain Interface Chat Powered by OpenAI

Brain implant firm Synchron offers AI-driven emotion and language predictions for users, powered by OpenAI's…

20 hours ago

Amazon Workers In Coventry Fail To Form Union

Amazon workers in Coventry lose union recognition ballot by just a handful of votes, amid…

1 day ago