Multiple threat research firms have uncovered a spate of phishing campaigns targeting professionals with details about salary increases, benefits changes and updated employee handbooks.
Proofpoint, as early as Jan. 10 and as recent as Wednesday, said it observed emails containing phishing links purportedly from HR.
Email subject lines and messages contained information about pay raises, missing timesheets, password resets, above-limit expense claim figures and corporate cybersecurity training, according to Proofpoint’s threat research team.
The turn of a calendar year typically coincides with multiple HR-related updates for professionals. This period of heightened HR activity regarding benefits, compensation and annual reviews also creates a window for threat actors to initiate social-engineering campaigns.
“Threat actors are notorious for using current events to create enticing social-engineering lures,” Sherrod DeGrippo, VP of threat research and detection at Proofpoint, said in a statement.
“Threat actors are hoping to evoke an emotional reaction and elicit a click without judgment,” DeGrippo said.
The URLs for some of the email phishing lures observed by Proofpoint were routed through a traffic direction system that redirected to the EvilProxy phishing framework to compromise Microsoft accounts.
Proofpoint’s threat research team said it assesses with medium confidence that the series of EvilProxy framework campaigns are attributable to the same threat actor, but the activity does not map to any of the firm’s currently named threat actors.
The volume of messages linked to this ongoing campaign are typically in the thousands, and hundreds of organizations, including an outsized portion of financially aligned organizations, have been targeted, according to Proofpoint.
“With promotions, pay raises and bonus payouts taking place right now at many companies, lures on this topic are not surprising, and the EvilProxy phishing framework has been an increasingly popular MFA [multifactor authentication] phishing-as-a-service kit since August 2022,” DeGrippo said.
Threat actors repeatedly prove their ability to exploit MFA via phishing or social-engineering attacks, as evidenced by the persistent and widespread text-message phishing campaign dubbed Oktapus or Scatter Swine.
MFA is regularly weaponized by cybercriminals that dupe employees into sharing credentials.
Abnormal Intelligence on Thursday also published a report detailing a few recent campaigns that play up the HR theme for professionals.
One payload-based credential phishing attack purportedly from HR includes a malicious link to a new employee benefit package that pressures recipients to immediately sign to acknowledge receipt. When clicked, the attachment opens a local copy of a phishing page that mimics a Microsoft login page with a pre-populated corporate email address of the recipient, according to Abnormal Intelligence.
The threat research firm also observed a link-based credential phishing attack in an email posing as an internal announcement from HR regarding a recent update to the employee handbook and guidelines.
Each of these campaigns could result in the compromise of sensitive corporate data and systems.
“Most phishing messages exploit human emotions, such as fear, anxiety, trust, or reward; however, the most successful attacks incorporate themes that make a target feel personally impacted by the message,” Crane Hassold, director of threat intelligence at Abnormal Intelligence, said in a blog post. “Threat actors play on human emotions, and they knew exactly what themes would likely work in this instance.”
