Microsoft have warned people of a massive Covid-19 related phishing scam run by cybercriminals. This latest attacks involves luring Microsoft users into downloading a remote administration tool called NetSupport Manager. This tool is commonly used by cybercriminals to gain access and control of users’ device.

According to Microsoft’s Security intelligence team, this new attack delivers the legitimate version of NetSupport Manager using emails with attachments containing a malicious Excel 4.0 macros.

Microsoft went on to demonstrate how this particular phishing attack works. The team said that users are sent a phishing email with an Excel attached named “covid_usa_nyt_8072.xls”, which contains statistics on Covid-19 deaths in the US. The cybercriminals have sent this email masquerading themselves as a source from John Hopkins Center. The email has the subject line line “WHO COVID-19 SITUATION REPORT”.

Once the user downloads the attachment, it shows the usual prompt “Enable content.” When the user clicks on this, hackers successfully install the NetSupport Manager client onto the remote device. This means that the hackers have gained control of the device, and can execute commands on the system.

The cleverness behind this attack is that NetSupport Manager tool is disguised as a legitimate Desktop Windows Manager. Cybercriminals will then use the NetSupport Manager to compromise the user’s device, making it hard for people to spot if it’s a fake.

Meanwhile, John Hopkins Center has clarified that it never sends attachments in emails. John Hopkins Centre have gone on to advise people to check the email address of the sender, and not to open any files received from unknown sources.

What do you do?

If you receive any emails claiming to have information on Covid-19, do not rely on these emails. Though Gmail and Outlook are able to scam emails for viruses, some manage to come into your inbox. Therefore, the best advice is don’t click on any links or attachments from unknown sources.

How to spot a Phish?

Stop and think the following:

  1. From Field – Do I know the sender? Do I normally communicate with the sender? Is the email from a suspicious domain? If in doubt, don’t open it.
  2. Attachment – Were you expecting to receive an attachment? Do you normally receive attachments from the sender? What type of file is attached? If in doubt, don’t open the attachment.
  3. Subject Line – Does the subject line create a sense of urgency? Does the subject line match the email content?
  4. Use of Language – Do you have an account or association with the company? Does the email contain obvious spelling or grammatical errors?
  5. Hyperlinks – Is the test of the link the same as the destination? Does the link include incorrect spelling or modified version of a known URL? If in doubt, do not click on the link. Verify the link by calling the sender.


Siccura Cybershield

Siccura Cybershield is the most interactive Cyber security training awareness programme. With a philosophy as simple as Test. Aware. Engage, we’ll help you:

  • Test your employees and IT defences by playing the role of an attacker.
  • Make your employees aware of the types of attacks such as Phishing, Vishing, Ransomeware and more
  • Engage your employees by sharpening their knowledge, and teaching them how to combat threats.

Through the training progamme, we’ll help you turn your employees into a Human Cybershield ready to defend your business.