Post COVID-19 Shutdown: Back-to-Work Phishing Campaigns


What may appear to be a legitimate corporate email is actually a scam that is targeting corporate employees in an attempt to steal their login credentials.

This Back-to-work phishing campaign is impersonated to compromise the recipient’s email accounts and other confidential information.

Image source: Abnormal Security


Spoofing techniques are being used to hide the sender’s email address as the notification is designed to replicate on official email from the company. Abnormal Security recently discovered an attack email from the back-to-work phishing campaign

Email Attack: The email is disguised as an automated internal notification from the company as indicated by the sender display name. But the sender’s actual address is ‘’, an otherwise unknown party. Further, the IP originates from a blacklisted VPN service that is not consistent with the corporate IP. This indicates the sender is impersonating the automated internal system. The email is sent to a specific employee requesting a call back with an attachment and text that make it seem like the recipient has received a voicemail.

Image source: Abnormal Security


These techniques were implemented in order to urge the receiver to think that they have received an important voicemail and that a callback is urgently required.

The recipient receives the fraud email with an attachment and the recipient’s name in the subject line.

The attached document appeared to be the new guidelines for the company’s new policies for remote work. The document then redirects the user to a fake login page that encourages the user to login. The page is notoriously designed to steal user information.

Image source: Abnormal Security


The stolen credentials could then be used to access the targeted company’s private and confidential information.

Unfortunately, by the time Abnormal Security discovered the attack emails, the attackers had bypassed the G Suite’s security barrier and affected at least 10,000-100,000 employees.