The COVID-19 has pushed teachers to work from home, deliver online classes to their students, and expect the submission of the assignments via the online platform. Malicious actors are using this as a opportunity to set up traps for teachers. Ransomware actors send fake assignments to teachers who work remotely, hoping to infect them with malware. The actors are using documents that fetch the malware from a legitimate code-hosting platform. The ransom is not high, which indicates a low-level actor, yet it still serves as an example of what to watch out for.

The ongoing campaign was noticed by Proofpoint researchers, who are warning about it while at an early phase.

Source: Proofpoint

The actors are sending emails using subjects like “Son’s Assignment Upload” or “Assignment Upload Failure for [Name of Student],” posing as the parent of a student who supposedly couldn’t upload the assignment on the school’s remote teaching platform. The idea is to trick the teacher into accepting the submission over email, while the addresses are likely sourced from public records. The attachments are either a ZIP or a DOC file, and they are laced with macros that fetch malware from ‘’

If the victim “enables content” on their MS Office Suite, and once the code hosting service successfully fetches the executables, the attacker receives a notification SMS so that he/she may take over the extortion process. The victim also gets a warning dialog where the actors identify themselves as “employer21.”

Source: Proofpoint

Unfortunately, some school districts still haven’t elevated their concern for ransomware attacks. Ransomware attacks have increased in volume and speed, and their impact has become much more significant as many schools continue online instruction. Teachers who work from home should keep this example in mind, and be very careful when they receive documents that ask them to “enable content.” In almost all of the cases, this is an attempt to infect them with malware.

Cybercrime is at an all-time high, and hackers are setting their sights on those considered “low hanging fruit.” Don’t be their next victim! You can have all of that brilliant stuff on the back end, but if somebody leaves the front door wide open, it’s not much. No matter how “bomb-proof” the network, you can still invite a hacker in. There are layers to security.



This discussion appeared on ProofPoint and TechNadu