Threat Intelligence

    Threat Intelligence Briefing: Attackers Target Employees Returning To Work—And Increasingly Turn To Non-Traditional Attack Vectors

    Cybersecurity tools need to share threat intelligence, using open application programming interfaces (APIs), to effectively defend against cyberattacks.

    by Samuel Greengard

    Key Points

    • Attackers are shifting focus to target employees returning to work.
    • Non-traditional attack vectors, including vishing and deepfake audio, are on the rise.
    • Mimecast detected a spike in attacks on healthcare organizations, with malicious actors seeking to exfiltrate research data as organizations develop vaccines and new medicines.



    Mimecast’s Global Threat Intelligence shared these findings in a briefing on May 12, 2020, part of an ongoing series of webinars designed to help protect organizations and the general public during the COVID-19 pandemic.

    Cybercriminals are Exploiting COVID-19 to Generate New Attack Methods

    The COVID-19 pandemic has presented an extraordinary opportunity for malicious actors to take advantage of users’ anxiety and need for information, as well as users’ increased vulnerability when working from home. Accordingly, spam related to COVID-19 has accounted for a very large percentage of overall spam since January—typically between 10% and 15%.

    One piece of good news is that in recent weeks, the volume of pandemic-related spam has dropped slightly, as home-based workers become savvier about cyber-resilience and basic cyber hygiene.

    However, Mimecast’s analysis suggests that as users become more resistant to basic spam and phishing tactics, malicious actors often reduce the volume of attacks but ratchet up the sophistication level and explore new methods.

    Back to Work Represents New Risks for Organizations

    As workers begin to head back to offices, cybercriminals are taking advantage. Several attacks use phishing emails claiming to provide information about new pandemic-related office policies, with the goal of installing malware or stealing credentials. “We are starting to see some places ease lockdowns. So people are thinking about returning to work—and they are looking to their companies and organizations for updates and information,” said Dr. Kiri Addison, Head of Data Science, Threat Intelligence for Mimecast.

    One attack uses a phishing email that purports to include a link or attachment to a company’s updated COVID-19 policy. When a recipient clicks on the link, they are directed to a webpage that installs malware. Mimecast has detected and blocked more than 1,400 examples of this attack in Australia alone.

    Another campaign is widespread but low volume, targeting users with a spoofed message from their company’s CEO about changes in office procedures due to the pandemic. The spoofed message may include the CEO’s actual name and email address, and warn recipients to share the email only with people they trust. It has circulated at major law firms in the U.S. coming from managing partners.

    Attackers also continue to update the topics of phishing messages to reflect the current state of the pandemic. A couple of months ago, the focus of many phishing attempts was on retail shortages and supplies. Now it’s about the latest sources of anxiety, such as going back to work and public transportation schedules. This reflects the typical evolution of phishing campaigns, explains Dr. Francis Gaffney, Director of Threat Intelligence for Mimecast; malicious actors aim to take advantage of people who are “searching for information about what is going on and what concerns them.”

    Non-Traditional Attack Vectors Surge

    We’ve also witnessed a surge in non-traditional phishing attack vectors such as text (SMShing) and voice messages (vishing), including “deepfake” audio impersonations.

    Phishing via text messages (SMShing) provides a way for attackers to gain entry to the contents of a mobile phone. Targets may receive an SMS with an apparent link to a tax agency, bank or other entity.

    Users are also receiving communications that tell them they’ve missed a phone call and include a link to a voicemail message. In most cases, the link actually takes the user to a spoofed login page designed to steal the person’s credentials. Mimecast has also seen an uptick in in more advanced vishing attacks that use “deepfake” audio messages, in which malicious actors use AI to create convincing voice impersonations of the organization’s top executives. In some instances, the crooks may use audio from webinars and other public media sources to capture the executive’s voice and mannerisms.

    It can be harder for users to detect malicious links on smartphones than on computers. On a desktop or laptop computer, a user can generally hover their mouse over a link to view the real URL, but it’s not as easy to do this on mobile devices.

    To minimize the risks due to non-traditional attack vectors, users should:

    • Remain wary of any unsolicited communications, especially text and email messages
    • Be aware that government agencies and law enforcement rarely, if ever, contact people electronically if they are trying to obtain money or for serious enforcement matters. They usually send those communications via regular mail and they involve many formal proceedings before fines are issued.
    • Avoid clicking on links to retrieve voicemail messages from unknown numbers.
    • If in doubt about a caller’s identity, search for the caller’s number online or in internal company resources to verify its validity.
    • If a voicemail appears to be from a trustworthy contact, consider contacting the caller on a known number to verify that the message is genuine.

    Healthcare Organizations Are Targeted

    Mimecast has detected a recent spike in attacks on healthcare organizations, as pharmaceutical firms and research facilities race to find vaccines and new medications to fight COVID-19. Some attacks are seeking to exfiltrate critical data or use ransomware to disrupt work.

    The Bottom Line

    Malicious actors continue to adjust their tactics as the pandemic unfolds, with recent attacks tapping into users’ current need for information about returning to work. It’s vital to ensure users stay aware during this critical phase. Awareness training can be extremely effective at reducing the risks: Mimecast has found that employees at companies that don’t use Mimecast’s security awareness training are 5.2x as likely to click on bad links as employees at companies that do use awareness training.

    Check our Coronavirus Response Center for information about evolving cyber threats, how to better support employees who are still working remotely, and other resources to help you and your organization.

    Mimecast will continue supporting you with monthly threat intelligence briefings. The next session will be June 16, followed by webinars on July 21 and August 18. Please join—and help make the briefings more valuable by sharing your challenges and concerns.


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top