Phishing Campaign Uses Salary Increase Ploy: ReportMessage About a Raise Designed to Harvest Credentials
A new phishing campaign lures employees with a message about a salary increase, according to researchers at the security firm Cofense. The campaign is designed to harvest Office 365 credentials.
The attackers use spoofing techniques to make the message look like legitimate email from a human resources department, according to a Cofense blog post.
“In particular, the threat actor changes the part of the ‘from’ field that dictates the ‘nickname’ displayed in the mail client to make it appear as if it originated within the company,” according to the blog post.
The campaign has been running since early October, but a similar campaign was observed last November, Milo Salvia, a researcher at the Cofense Phishing Defense Center who wrote the blog, tells Information Security Media Group.
So far, most confirmed cases of the campaign have been in North America and Europe, he adds.
“We’ve primarily seen large, multinational corporations targeted as part of this campaign,” he explains. “We’ve seen global, well-known brands targeted as part of this campaign, namely in the sports, insurance, finance and public industries.”
Mail Content and Technique
The phishing email has the company name in bold at the top of the page, the researchers write. The message states: “As already announced, The Years Wage increase will start in November 2019 and will be paid out for the first time in December, with recalculation as of November.”
Recipients are then presented with what appears to be a hosted Excel document called “salary-increase-sheet-November-2019.xls.”
“It is not uncommon, of course, for companies to increase salaries throughout the year. As a result, it wouldn’t be uncommon for an email like this to appear in an employee’s mailbox. Human curiosity compels users to click the embedded link,” according to the blog.
While the recipients or victims believe that are opening a document hosted on SharePoint, they are being linked to an external website hosted on a malicious URL, the blog notes.
Upon opening the link, the recipient is presented with a clone of the Microsoft Office365 login page. The recipient email address is appended to the end of the URL that automatically populates the email box within the form, leaving just the password field blank to be submitted by the recipient.
“This adds a sense of legitimacy to the campaign, allowing the recipient to believe this comes from their own company,” the blog notes.
Cofense has no evidence for who is behind the campaign to harvest credentials, Salvia says.
Other Phishing Developments
Despite significant investments in next-generation security technologies, phishing threats continue to become more sophisticated and effective, Salvia says.
“Threat actors continue to tweak their campaigns and enhance their capacity to deliver malware, ultimately getting more messages past perimeter controls to user inboxes,” he adds.
Last week, Security firm McAfee released a report on how cybercriminals were targeting users of Microsoft's Office365 subscription services with phishing campaigns that use fake voicemail messages in an attempt to steal victims' credentials and other information (see: McAfee: Malicious Voicemails Target Office365 Users).
Back in January, Edgewave reported on a phishing campaign that sent emails to victims indicating that they had missed a voice call.