Amid continued ransomware attacks against the Pharmaceutical and Healthcare sectors and a surge in credential stuffing attempts targeting the Financial sector, some cybercrime syndicates have had their operations somewhat disrupted during the COVID-19 pandemic as a result of (1) increased usage of package delivery services and (2) government lockdowns. Other cybercriminals however have seen that as an opportunity.

This week’s newsletter will cover three cyberattack techniques that will put both individuals and organizations to the test.

  • Package delivery phishing campaigns
  • Collaboration and file sharing phishing campaigns
  • Brute-force attacks against RDP endpoints

Package delivery phishing campaigns

As people socially isolate and work from home, shopping online and home deliveries have increased. Security researchers have seen a new wave of COVID-19 themed phishing campaigns, impersonating well-known shipping carriers such as FedEx, UPS, and DHL.

  • Attackers have started sending malicious emails pretending to be from DHL, FedEx, or UPS, notifying the targeted individuals that their packages have been held due to the Coronavirus lockdown. The emails then prompt the unsuspecting users to make corrections to an attached shipping document, to review instructions on how to pick up a package or to reschedule a pick-up – actions which will essentially install trojans or other malware.

  • In another phishing campaign, targeting the Italian postal service provider Poste Italiane, attackers are attempting to steal customer financial data despite the deployment of the new PSD2 (Payment Service Directive 2) security controls. The phishing process involves multiple redirects and collection of various pieces of information including first and last name, credit card number and phone number for the SMS OTP (one-time password verification).


Collaboration and file sharing phishing campaigns

Social distancing mandates have forced many organizations to implement teleworking policies, often with little planning or no prior experience, which has led to an increased interest, including from the underground community, in collaboration and file sharing platforms such as Teams, Sway, and SharePoint.

A series of phishing campaigns around these platforms are yet another evidence of threat actor activity seeking to exploit workplace disruptions caused by the COVID-19 pandemic.

Operation "PerSwaysion"

“PerSwaysion” is what security researchers have dubbed a cybercrime operation which has targeted tens of companies around the world leveraging Microsoft file-sharing services, including Sway and SharePoint, to launch targeted phishing attacks to trick employees into giving away their Office 365 login credentials.

Fake Microsoft Teams Credential Harvesting Emails

Threat actors have also begun sending Microsoft Teams-related lures to employees from industries such as Energy, Retail and Hospitality to steal their credentials. 

According to researchers, the emails are very convincing-looking, with links that lead to landing pages that are identical to what a user would expect from a legitimate Teams page. 

Another concerning fact here is that attackers have deployed multiple URL redirects to throw off malicious link-detection tools and to hide the actual URL of the domain that is being used to host the attacks.

  • In one of the observed attacks, the phishing message impersonates the notification received when a coworker is trying to connect via Teams. An embedded link leads unsuspecting individuals to a document hosted on a third-party site. The hosted document contains an image asking users to log into their Teams accounts. Those folks that venture to click on the image get redirected to a landing page that mimics the Microsoft Office login screen.

  • In another, the phishing email claims that the recipient has a file waiting for them on Microsoft Teams. The supplied link redirects the user to a page on YouTube, and then a few more times before finally arriving on the credential harvesting page.

Brute-force attacks against RDP endpoints

The Remote Desktop Protocol (RDP) is a proprietary Microsoft technology that lets users log into remote servers and workstations across the internet.

RDP endpoints are vulnerable to repeated login attempts during which hackers try different username and password combinations to gain access. With countries imposing quarantines and stay-at-home orders, security researchers have spotted two trends:

  • Organizations deploying more RDP systems online, increasing the attack surface for malicious parties.
  • Perpetrators conducting more RDP brute-force attacks.

Once attackers compromise an RDP endpoint, they will usually put the credentials on sale in the so-called “RDP shops”. Other cybercriminals buy these credentials, access a company's network, and then steal proprietary data, perform reconnaissance before attempting a wire fraud (BEC) attack, or install ransomware to encrypt files and demand a ransom payment.

To reduce the risk of such attacks from materializing:

  • Avoid using the default ‘Administrator’ account. Instead create new custom accounts, using strong usernames and passwords. 
  • Set role-based privileges to all remote access accounts and allocate only the minimum required privileges for all users.
  • Set up a simple policy of accounts getting locked out after a certain number of failed attempts within a specified amount of time.
  • Use RDP gateways that offer a point-to-point RDP connection.

As always – be vigilant, stay alert, think twice.

AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next cyber report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website or by e-mailing


Amatas, Kaspersky, ZDNet, Bleeping Computer, The Hacker News, Group-IB Threat Intelligence, Dark Reading, Microsoft Security Intelligence, Abnormal Security, Cyware, Check Point, Sucuri.