Threat Research

COVID-19 Phishing Campaign Targeting Companies | Cofense

Securonix

A Cofense Phishing Defense Center report details a COVID-19 themed phishing campaign where threat actors impersonate companies to deploy fake COVID-19 forms and harvest credentials via online form builders. The campaign includes compromised sender addresses and redirects victims to legitimate-appearing pages, such as SharePoint, to deflect suspicion. #Typeform #Wufoo #SharePoint #COVID19 #phishing #Masquerading

Keypoints

  • The phishing emails impersonate organizations and use generic language to appear legitimate, targeting multiple companies with a mass-mail approach.
  • Threat actors spoof the sender’s display name (e.g., “Human Resources”) and sometimes use compromised real addresses.
  • The campaign leverages Typeform to host a credential-collecting form used in the first phishing wave.
  • A second campaign variant uses Wufoo to collect vaccination status information, with the flow redirected to a fake COVID-19 policy on SharePoint.
  • Phishing pages often redirect to seemingly non-malicious or legitimate sites to reduce user suspicion.
  • IOCs include specific IPs and phishing form URLs linked to the campaigns.
  • Organizations should implement awareness and rely on security tooling to identify and share IOC data to prevent similar attacks.

MITRE Techniques

  • [T1566.003] Phishing: Spearphishing via Service – Use of online form builders (Typeform, Wufoo) to host phishing forms that collect user credentials. “Typeform is used for online form building and surveys. Threat actors use these sites a lot as they can easily setup a phishing form quickly.”
  • [T1036] Masquerading – The sender spoofed the display name, “Human Resources” as the sender so the recipient will assume its legitimate. “
  • [T1078] Valid Accounts – Threat actors sometimes use legitimate but compromised email addresses to send out such phishing emails. “

Indicators of Compromise

  • [IP] Context – phishing infrastructure IPs identified: 104.18.26.71, 104.18.27.71, and 2 more IPs (18.67.65.39, 18.67.65.38)
  • [URL] Context – Phishing form links used: hXXps://5g3poiiecwg[.]typeform[.]com/acknowledgement, hXXps://andy11[.]wufoo[.]com/forms/z1mh5ftj1a0115p/

Read more: https://cofense.com/blog/covid-19-phish-targeting-companies

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint