Fraud Management & Cybercrime , Fraud Risk Management , Social Engineering

'Return to Office' Phishing Emails Aim to Steal Credentials

Researchers: Employees Lured With Messages About Shift to Workplace
'Return to Office' Phishing Emails Aim to Steal Credentials
Sample of email disguised as an automated internal notification from the company (Source: Abnormal Security)

Researchers at Abnormal Security have uncovered a credential-stealing phishing campaign that spoofs internal company memos concerning returning to the office.

See Also: Global State of Identities: Optimizing Identity Proofing

The ongoing campaign is believed to have targeted about 100,000 inboxes, bypassing Google G Suite email security, the researchers say.

The fraudsters are using email messages and landing pages that attempt to impersonate the company's internal messaging system and HR department. The emails focus on status updates regarding whether employees can plan to return to working in their employer’s offices, reflecting the updates companies have been sending out following the outbreak of COVID-19, according to the Abnormal Security report.

"Despite the rise in COVID-19 cases, companies are providing status updates to their employees on the dates office are expected to reopen and employees can return to working there," the report states.

The fraudsters also are trying to create a sense of urgency by using growing concerns regarding company safety protocols during the COVID-19 pandemic. "This email sets a short deadline for when employees must acknowledge that they have received this message and complete the form," the researchers note.

Since the outbreak of the COVID-19 pandemic, the number of spear-phishing emails using the pandemic as a lure has skyrocketed, according to Barracuda Networks.

"Goals of the attacks ranged from distributing malware to stealing credentials, and financial gain. One new type of ransomware our systems detected has even taken on the COVID-19 namesake and dubbed itself CoronaVirus," according to the Barracuda report.

Tricking Employees

In the phishing campaign uncovered by Abnormal Security, the emails are disguised as an automated internal notification from the company as indicated by the sender’s display name. "But the sender's actual address is ',' an otherwise unknown party,” the research report states. “Further, the IP originates from a blacklisted VPN service that is not consistent with the corporate IP, which indicates the sender is impersonating the automated internal system."

The emails, sent to specific employees, contain an HTML attachment that bears the recipient's name, which lures employees into opening it. The email also contains text that makes it seem as if the recipient has received a voicemail, researchers state.

By clicking on the attachment, the user is redirected to a SharePoint document with new instructions on the company's remote working policy. "Underneath the new policy, there is text that states 'Proceed with acknowledgement here.' Clicking on this link redirects the user to the attack landing page, which is a form to enter the employee's email credentials," researchers note.

Once a recipient falls victim to this trap, the login credentials for their email account are harvested.

"Although there is an explicit message telling those who fall on this landing page that they should never give out their passwords, there may be some recipients who still fall victim to this attack," researchers note.

Other Attacks

Researchers uncovered a similar phishing campaign in October that mimicked the automated messages of the business communication platform Microsoft Teams in an attempt to harvest users' Office 365 login credentials.

That campaign targeted approximately 50,000 Office 365 users (see: Phishing Campaign Mimics Microsoft Teams Alerts).

A similar phishing campaign discovered in May spoofed notification from Microsoft Teams to harvest credentials (see: Latest Phishing Campaign Spoofs Microsoft Teams Messages).

Security analysts have noticed similar campaigns targeting at-home workers, who are increasingly reliant on cloud-based services such as Zoom, Teams and Office 365 (see: Zoom-Themed Phishing Campaign Targets Office 365 Credentials).

Microsoft pushed out a patch in April for a bug in Teams that could allow an attacker to take over an organization's accounts through the use of a weaponized GIF image (see: Microsoft Patches Teams Vulnerability).

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.