The emails – part of an attack that Proofpoint researchers said began in October but increased in November – generally contain information about COVID-19 testing and the new Omicron variant. Cybercriminals and threat actors have used concern about COVID-19 as a phishing lure since the pandemic began to cause headlines in January and February of 2020. But with this specific attack, cybercriminals are spoofing the login portals of schools like Vanderbilt University, the University of Central Missouri and more. Some mimic generic Office 365 login portals, while others use legitimate-looking university pages. “It is likely this activity will increase in the next two months as colleges and universities provide and require testing for students, faculty, and other workers traveling to and from campus during and after the holiday season, and as the Omicron variant emerges more widely,” the Proofpoint researchers wrote. “We expect more threat actors will adopt COVID-19 themes given the introduction of the Omicron variant. This assessment is based on previously published research that identified COVID-19 themes making a resurgence in email campaigns following the emergence of the Delta variant in August 2021.” In some cases, Proofpoint found that the emails redirected potential victims to the actual websites of their university after their credentials are stolen. The emails typically come with subject lines like “Attention Required - Information Regarding COVID-19 Omicron Variant - November 29.” Others are tagged with “COVID test.” Thousands of messages have been sent using Omicron as a lure, and the emails typically have malicious files attached or come with URLs that steal credentials for university accounts. In some cases, Proofpoint found that attacks using attachments “leveraged legitimate but compromised WordPress websites to host credential capture webpages.” “In some campaigns, threat actors attempted to steal multifactor authentication (MFA) credentials, spoofing MFA providers such as Duo. Stealing MFA tokens enables the attacker to bypass the second layer of security designed to keep out threat actors who already know a victim’s username and password,” the researchers explained. “While many messages are sent via spoofed senders, Proofpoint has observed threat actors leveraging legitimate, compromised university accounts to send COVID-19 themed threats. It is likely the threat actors are stealing credentials from universities and using compromised mailboxes to send the same threats to other universities. Proofpoint does not attribute this activity to a known actor or threat group, and the ultimate objective of the threat actors is currently unknown.” Hank Schless, a senior manager at Lookout, told ZDNet that at the start of the COVID-19 pandemic in 2020, there was a ton of malicious phishing activity centered around the virus that tempted people with promises of increased government aid, information about shutdowns, and even self-testing apps. From Q4 2019 into Q1 2020, Schless said his company saw an 87% increase in enterprise mobile phishing. By early 2021, Schless noted that attackers changed their tune to deliver the same attacks with the promise of information around vaccines and reopenings. “Between Q4 of 2020 and Q1 of 2021, exposure to phishing increased 127% and remained at the same level through Q2 and Q3. Now, with questions around the Delta and Omicron variants, attackers are again using this as a way to convince potential victims to trust their communication and unknowingly share login credentials or download malware. Academic institutions make for ripe targets in the eyes of cybercriminals,” Schless said. “Large institutions may be conducting cutting-edge research or have massive endowments – both types of data than an attacker would want to steal or encrypt for a ransomware attack. Phishing campaigns know no industry, organization, or device type. They’re designed to be agile attacks that can be tweaked to target any individual.” He explained that while the attackers’ end goal discovered by Proofpoint is still unknown, a set of legitimate login credentials can be the most valuable asset to an attacker trying to infiltrate an organization’s infrastructure. By entering under the guise of a legitimate user, the attacker has a greater chance of accessing sensitive data without tripping any alarms, Schless added, noting that these campaigns are often the starting point for more advanced cyber attacks.