{
	"id": "f2776dad-2e3b-4472-bf61-18e4aac5dfe2",
	"created_at": "2026-04-06T00:21:54.991739Z",
	"updated_at": "2026-04-10T13:12:50.63447Z",
	"deleted_at": null,
	"sha1_hash": "73984d4fc9b4b9a56a6155ccf9d629ffe14e6e4b",
	"title": "Microsoft warns of 'massive' phishing attack pushing legit RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2313195,
	"plain_text": "Microsoft warns of 'massive' phishing attack pushing legit RAT\r\nBy Lawrence Abrams\r\nPublished: 2020-05-19 · Archived: 2026-04-05 19:55:36 UTC\r\nMicrosoft is warning of an ongoing COVID-19 themed phishing campaign that installs the NetSupport Manager remote\r\nadministration tool.\r\nIn a series of tweets, the Microsoft Security Intelligence team outlines how this \"massive campaign\" is spreading the tool via\r\nmalicious Excel attachments.\r\nThe attack starts with emails pretending to be from the Johns Hopkins Center, which is sending an update on the number of\r\nCoronavirus-related deaths there are in the United States.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-warns-of-massive-phishing-attack-pushing-legit-rat/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-warns-of-massive-phishing-attack-pushing-legit-rat/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nMalicious COVID-19 themed email\r\nAttached to this email is an Excel file titled 'covid_usa_nyt_8072.xls', that when opened, displays a chart showing the\r\nnumber of deaths in the USA based on data from the New York Times.\r\nMalicious Excel document\r\nAs this document contains malicious macros, it will prompt the user to 'Enable Content'. Once clicked, malicious macros\r\nwill be executed to download and install the NetSupport Manager client from a remote site.\r\n\"The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same\r\nURL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-warns-of-massive-phishing-attack-pushing-legit-rat/\r\nPage 3 of 5\n\ncommands on compromised machines,\" Microsoft tweeted.\r\nThe NetSupport Manager is a legitimate remote administration tool commonly distributed among the hacker communities to\r\nuse as a remote access trojan.\r\nWhen installed, it allows a threat actor to gain complete control over the infected machine and execute commands on it\r\nremotely.\r\nIn this particular attack, the NetSupport Manager client will be saved as the dwm.exe file under a random %AppData%\r\nfolder and launched.\r\nAs the remote administration tool is masquerading as the legitimate Desktop Windows Manager executable, it may not be\r\nnoticed as unusual by users viewing Task Manager.\r\nNetsupport Manager running as DWM.exe\r\nAfter some time, the NetSupport Manager RAT will be used to further compromise the victim's computer by installing other\r\ntools and scripts.\r\n\"The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe\r\nfiles, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to\r\nsend further commands,\" Microsoft explained.\r\nAnyone who was affected by this phishing campaign should operate under the assumption that their data has been\r\ncompromised and that the threat actor attempted to steal their passwords.\r\nIt is also possible that the threat actor used the infected machine to spread laterally throughout the network.\r\nAfter cleaning the infected device, passwords should be changed, and the rest of the computers on the network should be\r\ninvestigated for infections.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-warns-of-massive-phishing-attack-pushing-legit-rat/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-warns-of-massive-phishing-attack-pushing-legit-rat/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-warns-of-massive-phishing-attack-pushing-legit-rat/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/microsoft-warns-of-massive-phishing-attack-pushing-legit-rat/"
	],
	"report_names": [
		"microsoft-warns-of-massive-phishing-attack-pushing-legit-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434914,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/73984d4fc9b4b9a56a6155ccf9d629ffe14e6e4b.pdf",
		"text": "https://archive.orkl.eu/73984d4fc9b4b9a56a6155ccf9d629ffe14e6e4b.txt",
		"img": "https://archive.orkl.eu/73984d4fc9b4b9a56a6155ccf9d629ffe14e6e4b.jpg"
	}
}