An HHS.gov open redirect is currently being used by attackers to push malware payloads onto unsuspecting victims’ systems with the help of coronavirus-themed phishing emails. The open redirect (https://dcis.hhs.gov/cas/login?service=MALICIOUSURL&gateway=true) is present on the subdomain of HHS’s Departmental Contracts Information System. The attackers use it to link to a malicious attachment containing a malicious. document which will unpack an obfuscated VBS script that will download and execute a Raccoon information stealer malware payload from http://185.62.188[.]204/hunt/post/corona.
Source: https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/