Business owners with Microsoft Office 365 accounts are targeted in a phishing campaign that uses bait emails designed to look like legitimate Small Business Grants Fund (SGF) relief payment messages from the UK government.

These highly targeted phishing attacks have so far delivered emails that, according to numbers from security researchers at email security company Abnormal Security, have landed in the mailboxes of up to 5,000 potential victims.

The scammers behind this phishing campaign have found the perfect time to use this tactic since governments all over the globe are currently doing their best to give a helping hand to businesses and citizens dealing with financial issues caused by the COVID-19 pandemic.

Additionally, they are taking advantage of their victims’ hopes for governmental financial aid to get them out of a tough spot with emails camouflaged as official government correspondence potentially lowering down their guard.

Dropbox Transfer alerts used for legitimacy

To make sure that their targets’ Secure Email Gateways (SEG) won’t automatically block their phishing messages, the attackers are using automated Dropbox Transfer notifications which allows them to send their baits from

This gives the attack a boost of legitimacy due to Dropbox being a known and trusted entity, a tactic designed to induce a sense of trust among potential victims.

In the emails, the attackers include a link to a COVID-19-Relief-Payment.PDF document that supposedly contains the documentation the SMB owners need to file with the authorities to prove their eligibility in relief fund programs.

Phishing email sample
Phishing email sample (Abnormal Security)

An expiration date is also included to provoke a sense of urgency, pushing the targets to act as soon as possible since the link to the payment relief documents will expire within four days.

If the recipients click the link embedded in the phishing email they are redirected to a benign Dropbox Transfer landing page that will ask them to download or save the PDF file into their Dropbox account.

“Not only does this bypass traditional mail filters but it also goes undetected by any existing web proxy and firewall controls,” Abnormal Security’s researchers explain.

“This is also extremely convenient for attackers because they can send the payload without ever having to verify if the targeted network is allowing an inbound SMTP or testing firewalls/proxies.”

Phishing redirection steps
Phishing redirection steps (Abnormal Security)

Instead of providing them with the relief fund documentation, the PDF instructs them to open a document hosted on Microsoft OneDrive by clicking on an Access Document button.

The link, however, redirects to a Google Docs document with a Google Form that asks them to log in with their Office 365 credentials.

If they fall for this trick and attempt to login to gain access to the documentation promised in the phishing message, their credentials get harvested and sent to the attackers.

“The moment the end-user inputs their credentials into the form provided, their Microsoft credentials on all accounts are compromised. Ultimately, this can lead to financial loss for the organization.”

Financial relief payments: the perfect pandemic bait

Relief fund payments have become a favorite bait for phishing campaigns after the start of the COVID-19 outbreak as shown by phishing attacks using them to steal victims’ personal information and to infect them with malware.

In March, the FBI warned of a phishing campaign that used fake government economic stimulus checks as bait to steal sensitive personal info from potential victims.

“While talk of economic stimulus checks has been in the news cycle, government agencies are not sending unsolicited emails seeking your private information in order to send you money,” the FBI said at the time.

Additionally, attackers launched attacks attempting to infect small businesses with Remcos RAT payloads using fake disaster assistance grants delivered via phishing emails impersonating the U.S. Small Business Administration (U.S. SBA).

Cisco Talos also said on March 30 that its researchers had “already detected an increase in suspicious stimulus-based domains being registered” and staged for COVID-19 relief package themed attacks.

The IRS warned during early-April of a surge in economic stimulus payment scams trying to steal personal information over email, phone calls, or social media, scams that could potentially lead to tax-related fraud and identity theft.

Later that month, several phishing campaigns started impersonating the U.S. Federal Reserve, baiting their victims with government financial relief options through the Payment Protection Program.

This article was reblogged from