Security Experts:

Connect with us

Hi, what are you looking for?



COVID-19 Lures Only a Fraction of Daily Phishing Emails

Microsoft Sees 60,000 COVID-19 Phishing Emails Every Day

The number of COVID-19-themed attacks has increased significantly over the past couple of months, but they represent only a fraction of daily threats, security firms say.

Microsoft Sees 60,000 COVID-19 Phishing Emails Every Day

The number of COVID-19-themed attacks has increased significantly over the past couple of months, but they represent only a fraction of daily threats, security firms say.

Just as the joint alert issued on Wednesday by the U.S. Department of Homeland Security (DHS) and the United Kingdom’s National Cyber Security Centre (NCSC) noted, the overall levels of cybercrime did not increase, despite the massive spike in COVID-19-related themes.

According to Microsoft, every country in the world has seen at least one COVID-19-themed attack, with countries most affected by the outbreak seeing the highest volume of incidents. To date, China, the United States, and Russia have been hit the hardest, the company says.

At the moment, the tech giant is seeing roughly 60,000 phishing emails that carry COVID-19 related malicious attachments or malicious URLs each day. However, given the millions of malicious emails observed on a daily basis to target hundreds of thousands of users, that number amounts to less than two percent of the total volume of threats.

FireEye too has observed a similar shift in the threat landscape, but notes that only two percent of the malicious emails it detected in March had a COVID-19 theme.

This, Microsoft notes, “reinforces that the overall volume of threats is not increasing but attackers are shifting their techniques to capitalize on fear. Attackers are impersonating established entities like the World Health Organization (WHO), Centers for Disease Control and Prevention (CDC), and the Department of Health to get into inboxes.”

Microsoft also explains that the COVID-19-themed threats are, in fact, retreads of existing attacks, altered to fit the current trend. Basically, the attackers only changed the lures, but did not increase the number of attacks. Trickbot and Emotet operators are highly active, rebranding their lures to take advantage of the coronavirus outbreak.

According to FireEye, despite the shift in lures, the threat actors remain the same, and continue to use the same tools they used before the crisis. They only started leveraging the global situation for social engineering.

“Ultimately, COVID-19 is being adopted broadly in social engineering approaches because it is has widespread, generic appeal, and there is a genuine thirst for information on the subject that encourages users to take actions when they might otherwise have been circumspect,” FireEye notes.

With over 18,000 malicious COVID-19-related URLs and IP addresses processed daily, Microsoft says it’s clear that attackers are more aggressive, but are using the same delivery methods, only swapping out the malicious URLs more frequently to evade detection.

As for the actors that take advantage of coronavirus-themed lures, they range from profit-driven cybercriminals to nation-state groups engaging in cyber-espionage. Moreover, FireEye says some adversaries have shared tools on underground communities to make COVID-19-related lures more efficient.

Moving forth, the number of attacks exploiting the coronavirus crisis is expected to grow even more. In a recent alert, the FBI warned that BEC scams leveraging the global pandemic are likely to become more frequent.

Related: How Has the Coronavirus Pandemic Impacted Cybersecurity Professionals?

Related: US, Britain Warn That Hackers Increasingly Use Coronavirus Bait

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.