Features, Insight, Security

As Delta Variant Spreads, COVID-19 Themes Make Resurgence in Email Threats

Multiple distinct types of high-volume threats have pivoted back to using COVID-19 social engineering themes as the global concern about the Delta variant continues to rise. The newly observed campaigns related to the identified malware follow a lull in COVID-19-themed threat campaigns through the Spring and early Summer of 2021.

Campaign Details

Proofpoint has tracked ongoing threats leveraging COVID-19 and related coronavirus themes since the beginning of the pandemic. TA452, known to distribute Emotet, first began using COVID-19 in email threats in January 2020. Although the virus has remained an ongoing theme, Proofpoint researchers observed a significant increase in the number of messages leveraging COVID-19 themes in recent months.

Since late June 2021, Proofpoint has observed high volume COVID-19 themed campaigns distributing RustyBuer, Formbook, and Ave Maria malware, in addition to multiple corporate phishing attempts to steal Microsoft and O365 credentials. Proofpoint researchers also identified an increase in business email compromise threats leveraging COVID-19 themes in this timeframe.

Emile Abou Saleh, Regional Director, Middle East & Africa at Proofpoint.

Emile Abou Saleh, Regional Director, Middle East & Africa at Proofpoint, said: “As the COVID-19 situation evolves, scammers will continue to use social engineering to tie their attacks to the news agenda, from the appearance of the coronavirus, to vaccines, pandemic financial relief or healthcare information. This trend continues as the Delta variant spreads, and vaccination programs roll out across the Middle East. It is therefore crucial for companies in the region to provide security awareness training for employees to ensure they can identify and report such email threats”.

The increase in COVID-19 themes in Proofpoint data aligns with public interest in the highly contagious COVID-19 Delta variant.

The increase in COVID-19 related threats is global. Proofpoint observed tens of thousands of messages intended for customers in various industries worldwide. Open-source data also supports a greater threat actor adoption of COVID-19 themes recently.

Credential Theft

Proofpoint researchers have observed multiple high-volume COVID-19 related credential theft campaigns, including a Microsoft credential theft campaign targeting thousands of organisations globally. The messages purported to be vaccination self-compliance reports sent by the target entities’ human resources divisions. They contained a URL which likely leads to a fake Microsoft authentication page designed to harvest user credentials.

Employment Status

Proofpoint researchers observed a new high-volume Formbook campaign sent to hundreds of organisations masquerading as a human resource professional. The emails contain a zipped file (e.g. Scan.Salary.zip) and tell the recipients that their jobs are being eliminated due to the financial impact of COVID-19.

The emails are generic but customised to the intended organisation. To further entice the recipient to open the malicious file, the email states a “2 months salary receipt” is attached. The emails contain a malicious .ZIP attachment, that when extracted and executed leads to the installation of Formbook malware. This campaign consisted of over 7,000 emails intended for a broad spectrum of organisations.

Ave Maria

Proofpoint researchers identified new Ave Maria malware campaigns largely targeting energy and industrial organisations. Ave Maria is a remote access trojan, written in C++, that is capable of process and file system manipulation, command shell access, webcam control, keylogging, password theft, and remote desktop access. The first observed series of emails purported to be health advisories related to COVID-19 and purported to contain “preventative measures” relating to the target company’s policies. Over a thousand emails targeted dozens of customers, with more than 90% of the intended targets in the energy vertical.


Currently, one of the most active COVID-19 related threats is RustyBuer, a new Rust-based Buer Loader strain first identified by Proofpoint researchers in April 2021. Buer is a downloader  that is used as a foothold in compromised networks & an ‘Initial Access Broker’ to distribute other secondary payloads including ransomware.

The recent campaigns leveraging the pandemic themes include senders purporting to be related to healthcare with subjects referencing vaccine mandates, equitable healthcare opportunities, and current infection rates.


As the severity of the Delta variant increases in proportion to COVID-19 infections, so does its media coverage worldwide. Based on past behaviour, media attention increases the likelihood that actors will shift back to a broader adoption of COVID-19 as social engineering material and localise it to their perspective regions. It is possible more threat actors will begin to use the virus as a lure in future campaigns while infection rates and interest in the virus and protective measures remains high.

Previous ArticleNext Article


The free newsletter covering the top industry headlines