Microsoft this week warned about a massive COVID-19 Excel phishing attack that started on May 12. The campaign sends emails that look like they are from the “Johns Hopkins Center”, and they have an Excel attachment that claims to be US deaths caused by the Coronavirus.
If your user opens that infected “Excel doc”, the file downloads a macro and runs the NetSupport Manager Remote Admin Tool. This is actually a legit remote support product, but it can also be used for criminal purposes, specifically to download malware on a targeted device. When installed, it allows the bad guys to gain complete control over the infected machine and execute commands on it remotely.
In a series of tweets, the Microsoft Security Intelligence team outlined how this massive COVID-19 Excel Phishing Attack campaign is spreading this tool. The Excel document contains malicious macros, and will prompt the user to ‘Enable Content’. Once clicked, the macros will be executed to download and install the NetSupport Manager client from a remote site.
“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines,” Microsoft tweeted.
What to Do About COVID-19 Excel Phishing Attack
If you have any users that infected their machines you should operate under the assumption that their data and passwords have been compromised. You should contact Responza immediately.
You should also warn your other users of the attack and be aware that the threat could have passed laterally to other computers throughout your company. A network-wide scan is required immediately.
Related blog: How to Spot Email Phishing Scams