Hackers Exploit Queen Elizabeth II’s Death in Phishing Attack

Side profile of Queen Elizabeth II wearing a green hat

Hackers are taking advantage of the outpouring of condolences for the late British monarch Queen Elizabeth II to launch a phishing attack and surreptitiously gain access to the Microsoft accounts of unsuspecting victims, cybersecurity researchers at Proofpoint revealed on Wednesday.

This revelation comes just a day after the UK’s National Cyber Security Centre (NCSC) issued a warning about potential phishing attacks in the aftermath of the Queen’s passing.

The attackers impersonate Microsoft and invite victims to write a tribute to the deceased monarch on an “interactive AI memory board.” Little do victims know that in their attempts to honor the memory of the Queen, they are handing over access to their Microsoft accounts.

How the Phishing Scam Works

This attack is not very different from other phishing and social engineering scams we’ve covered in recent months. What sets this attack apart is that the threat actor uses a sophisticated phishing-as-a-service (Phaas) toolkit to steal victims’ credentials and multifactor authentication (NFA) codes.

This attack begins with an email purported to be from “The Microsoft Team.” While the email doesn’t have the Microsoft logo, it does a good job spoofing the company’s official emails.

The email invites targets to check out and contribute to an interactive AI board created in memory of Queen Elizabeth II.

“Within this board, neural network will accumulate, analyze, and organize millions of memorable words and thousands of letters and photos, receiving them from all over the globe,” the phishing email shared by Proofpoint’s Threat Insight team on Twitter reads. “It gets memos from famous people, people close to the Queen, and people who just want to say some words of sorrow.”

The email invites victims to contribute to the “Elizabeth II Memory Board” by clicking a link. When victims click the link, they are redirected to a credential harvesting page where they are required to log in to their Microsoft account. While they do this, the EvilProxy phishing kit works in the background to compromise their accounts, stealing their login details and MFA tokens.

EvilProxy (also known as Moloch) is a newly identified Phaas toolkit that came to light earlier this month. However, Resecurity said the kit has been active since May 2022.

EvilProxy is sold on illegal dark web marketplaces. Phishing tools like EvilProxy give cybercriminals with relatively low technical knowledge and skill the means to carry out scams.

“EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxifying victim’s session,” Resecurity researchers wrote.

Report Suspicious Emails to the NCSC

The NCSC has urged the public to forward suspicious emails to [email protected] Its advisory also contains other helpful information and resources on the arrangements following the Queen’s death.

“Cyber criminals often play on your emotions to get you to click, and may also refer to high profile current events,” the NCSC wrote.

Check out our in-depth guide on phishing and social engineering scams to learn about the modus operandi of these attacks and how to protect yourself.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.