Connect with us

Hi, what are you looking for?



COVID-19 Lures Only a Fraction of Daily Phishing Emails

Microsoft Sees 60,000 COVID-19 Phishing Emails Every Day

The number of COVID-19-themed attacks has increased significantly over the past couple of months, but they represent only a fraction of daily threats, security firms say.

Microsoft Sees 60,000 COVID-19 Phishing Emails Every Day

The number of COVID-19-themed attacks has increased significantly over the past couple of months, but they represent only a fraction of daily threats, security firms say.

Just as the joint alert issued on Wednesday by the U.S. Department of Homeland Security (DHS) and the United Kingdom’s National Cyber Security Centre (NCSC) noted, the overall levels of cybercrime did not increase, despite the massive spike in COVID-19-related themes.

According to Microsoft, every country in the world has seen at least one COVID-19-themed attack, with countries most affected by the outbreak seeing the highest volume of incidents. To date, China, the United States, and Russia have been hit the hardest, the company says.

At the moment, the tech giant is seeing roughly 60,000 phishing emails that carry COVID-19 related malicious attachments or malicious URLs each day. However, given the millions of malicious emails observed on a daily basis to target hundreds of thousands of users, that number amounts to less than two percent of the total volume of threats.

FireEye too has observed a similar shift in the threat landscape, but notes that only two percent of the malicious emails it detected in March had a COVID-19 theme.

This, Microsoft notes, “reinforces that the overall volume of threats is not increasing but attackers are shifting their techniques to capitalize on fear. Attackers are impersonating established entities like the World Health Organization (WHO), Centers for Disease Control and Prevention (CDC), and the Department of Health to get into inboxes.”

Microsoft also explains that the COVID-19-themed threats are, in fact, retreads of existing attacks, altered to fit the current trend. Basically, the attackers only changed the lures, but did not increase the number of attacks. Trickbot and Emotet operators are highly active, rebranding their lures to take advantage of the coronavirus outbreak.

Advertisement. Scroll to continue reading.

According to FireEye, despite the shift in lures, the threat actors remain the same, and continue to use the same tools they used before the crisis. They only started leveraging the global situation for social engineering.

“Ultimately, COVID-19 is being adopted broadly in social engineering approaches because it is has widespread, generic appeal, and there is a genuine thirst for information on the subject that encourages users to take actions when they might otherwise have been circumspect,” FireEye notes.

With over 18,000 malicious COVID-19-related URLs and IP addresses processed daily, Microsoft says it’s clear that attackers are more aggressive, but are using the same delivery methods, only swapping out the malicious URLs more frequently to evade detection.

As for the actors that take advantage of coronavirus-themed lures, they range from profit-driven cybercriminals to nation-state groups engaging in cyber-espionage. Moreover, FireEye says some adversaries have shared tools on underground communities to make COVID-19-related lures more efficient.

Moving forth, the number of attacks exploiting the coronavirus crisis is expected to grow even more. In a recent alert, the FBI warned that BEC scams leveraging the global pandemic are likely to become more frequent.

Related: How Has the Coronavirus Pandemic Impacted Cybersecurity Professionals?

Related: US, Britain Warn That Hackers Increasingly Use Coronavirus Bait

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.