Threat Actors Adopt a “Back to Work” Theme for Phishing Lures
Scammers have taken to impersonating an employee’s organization’s human resources department in phishing emails crafted to appear as internal ‘back to work’ company memos. It’s highly likely that some of the targets will fall for the scammers’ tricks given that during the COVID-19 pandemic, most companies have regularly emailed their employees with updates regarding remote working policy changes.
These phishing emails utilized in this campaign spoof the target’s company mail service and are crafted to look like automated internal company memos with attached voicemails. This is a common tactic used to convince the target that the messages originate from within their own company, which would increase the likelihood that they would share sensitive information that would be asked for in later stages of the attack. The emails also contain custom HTML attachments with the employee’s name, a technique used to convince the recipients that the email is safe, thus enticing them to open the attachment without much thought.
Once the attachments are opened, the targets are sent to a SharePoint document with details about remote working policy changes and an acknowledgment link at the bottom. Clicking that link will redirect them to a phishing landing page camouflaged as an HR compliance notification requiring the targets to enter their company email address and password. An added tactic used to make sure that the victims will provide their email credentials is the addition of an alert under the phishing form telling them to never give out their passwords to people they don’t trust.
Once the target falls for this attack, their email account will be compromised, and the attacks will have gained access to sensitive corporate and personal information.
Sources: