Microsoft has released a statement warning users to stay vigilant of phishing emails, as a malicious campaign has been detected which tricks users into downloading an Excel sheet containing harmful software. The criminals responsible are taking advantage of the confusion around Covid-19, as many others have been doing lately, to convince users that the emails are genuine and to enable macros within Excel once the file has been downloaded to their computer.
“We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments,” read the tweet from Microsoft Security Intelligence.
Once the offending file has been downloaded, users will be prompted to ‘enable content’, which allows the macros to run, downloading and installing the remote access software and giving the cyber criminals control.
Microsoft were keen to state that NetSupport Manager, the remote access tool being used, was a legitimate program and not malicious in itself, however cyber criminals have manipulated the software to gain complete control of compromised PCs to execute commands remotely.
“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures”, the tweets went on to say, acknowledging the amount of malicious emails flooding user inboxes currently which reference the current crisis caused by the coronavirus pandemic.
In fact, criminals are so keen to take advantage of confusion and profit from others’ suffering that Google has claimed they are detecting and blocking over 240 million such messages every single day, in addition to 18 million phishing emails.
What can organisations do to stay safe against these threats?
“The advice for organizations and employees is to remain vigilant to this new kind of threat, and to deploy training as regularly as possible to make sure individuals remain aware,” says malware researcher, Tarik Saleh. “Phishing is at its core an attack on people, and people remain the best defense against it, in addition to ensuring proper processes remain in place.”
Most people can recognise a misspelled phishing email, but often they are not exposed to advanced emails which are more targeted and can spoof domains to look more convincing. Such advanced attacks on organisations are known as spear-phishing, and is considered a rising phenomenon in today’s cyber environment.
While sophisticated email filters shield users from most phishing emails while they are on the corporate network, they often have the side-effect of lulling users into a false sense of security. Many users are unaware that email addresses and domains can be easily spoofed – meaning an email from [email protected] can be just as dangerous as an email from [email protected].
At the end of the day, there is no silver bullet when it comes to cyber security. A layered approach encompassing email filtering, firewalls, next-gen antivirus, regular security updates and more must be used in order to have the best possible chance to prevent a cyber attack or data breach from successfully occurring.
However, one important piece of the security puzzle that many companies often overlook is the human element – security awareness training. Last year, human error was responsible for approximately 90% of data breaches in the UK, with similar figures reported around the world.
Regular training and phishing of staff has been proven to significantly reduce the risk of a successful cyber attack, and can be a useful way to measure risk and chart its reduction over time. Proactive approaches to cyber security are looked on favourably by data protection authorities, who have said in the past that they will base fines (like those scary 4% turnover GDPR fines) on a case-by-case basic. Basically; should a breach occur, fines for an organisation will be reduced if they are more prepared, and training users can be a powerful tool to prove that cyber security and data protection is being taken seriously.
If you’re concerned that your organisation may be prone to phishing attacks, Tech Guard offers a free phishing test for companies with 100 users or less (> 100 users also catered for, please enquire for pricing). We are partnered with KnowBe4, who are leaders in the security awareness training industry, to provide a proven, data-driven approach to training and phishing staff.