Recent Posts

Recent Blog Posts

The PhishLabs Blog

COVID-19 Phishing Update: Infected Coworker Email Targets Enterprise O365 Credentials

Posted by Jessica Ellis on Apr 2, '20

Threat actors are exploiting employee concerns about infected colleagues. Our latest example targets Office 365 accounts at a large Canadian company by falsely claiming a colleague has died from the virus. 


We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic. 




The email originates from a fake sender’s address. In it, the potential victim is prompted to open the attached HTML file Corona_Virus_on_Site_Update_Monday%2003302020-pab.pdf.hTml#, an Office 365 phish meant to steal login credentials.


Screenshot from 2020-04-01 13-06-54


When the victim enters their information, a javascript code submits the credentials to a form receiver, which then sends the information to the server address


Screenshot from 2020-04-01 13-24-14

In an effort to provide additional legitimacy, the HTML file then sends the victim to the hacked website http://ozturkkilcadir[dot]com//wp-content/22323454-76878989/wrng.html.


This is not the first time we’ve seen spoofed Office 365 logins; it is, however, one of the first we’ve seen that exploits employee fears concerning their fellow coworkers having coronavirus. It serves as further evidence of threat actors taking advantage of corporate efforts to keep their employees safe and informed to compromise enterprises. 


For more intelligence on COVID-19 threats, see our ongoing coverage.

Topics: COVID-19

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all