Cyber fraudsters are attempting to steal passwords to Microsoft accounts for small businesses in the UK by sending fake emails promising government bailout funds for companies forced to shut down by the coronavirus.

Abnormal Security researchers said in a blog post yesterday (June 10) that the email phishing campaign is disguised as a communication from the UK government's Small Business Grant Fund (SGF).

"The attack seeks to exploit the government's current efforts to provide relief funding to small business owners affected by the Covid-19 closure and Shelter in Place orders," the Abnormal Security report states.

"Requirements vary from country to country, but applicants must provide proof of eligibility.

"Since applicants are expected to communicate via email, attackers have a unique opportunity to impersonate legitimate authorities and extract sensitive information from their customers.

Phishing emails, estimated to have been sent between 1,000 and 5,000 times via Dropbox's official domain, ask recipients to click on a file called "COVID-19-Relief-Payment.PDF."

Abnormal Security describes the attack as a two-step process.

"The first step is a link in the email that directs the user to a standard Dropbox transfer landing page to download the file. Upon clicking the download button, the page redirects to a phishing landing page.

The second step directs the user to a landing page containing an Office 365 image and a button asking to "access" the document. Researchers warn that this is where the intent to access the user's Microsoft username and password is revealed.

If recipients follow these instructions and fill out the forms provided, Microsoft credentials are compromised, which could lead to financial loss, the researchers said.

There are several reasons why this attack is effective. Users are urgently asked to fill out the form, the email comes from a persuasive sender and uses legitimate email headers, and if they have already signed up for the fund, they may expect to be contacted anyway.

To avoid falling victim to this scam, enable two-factor authentication in your Microsoft account. That way, even if someone steals your username and password, it will be much harder for scammers to access your account.