Since the vaccination and lifting Coronavirus restrictions, many employees are beginning to return to their offices. We are starting to see hackers shift their focus back to traditional workplaces.
Recently, remote workers have been the main targets of scammers. This makes sense because of the massive shift to working from home that was facilitated by the (technically still-ongoing) COVID-19 pandemic.
Now, a new phishing campaign is aimed at exploiting those workers who have started making their way back to the physical workplace.
This new campaign uses email as the attack vector. A security company by the name of Cofense says that hackers are targeting returning employees with emails that are supposedly from their office welcoming them back.
Like most phishing campaigns that work, the email looks legitimate enough for the laymen to believe. It will have the company logo (which is usually all it takes to fool these people) in the header. The main part of the message covers the new precautions and changes that are expected to be put in place for businesses to operate during this return to work.
In the event that an employee is trucked by the email, they are redirected to what looks like a Microsoft SharePoint page, but it’s not.
When interacting with these documents, it becomes apparent that they are not authentic and instead are phishing mechanisms to garner account credentials.Dylan Main – Cofense Threat Analyst
If you are foolish enough to believe this stuff, you will then be directed to a ‘login’ panel. This is where you cost your company millions of dollars if you are ignorant enough.
This is uncommon among most Microsoft phishing pages where the tactic of spoofing the Microsoft login screen opens an authenticator panel. By giving the files the appearance of being real and not redirecting to another login page, the user may be more likely to supply their credentials in order to view the updates.Dylan Main
Another trick up these hacker’s sleeves is fake ‘validated’ credentials. The first several times that you put login information into these fields, it will return an error message that says, ‘Your account or password is incorrect.’
After entering login information a few times, the employee will be redirected to an actual Microsoft page. This gives the appearance that the login information was correct, and the employee now has access to the OneDrive documents. In reality, the threat actor now has full access to the account owner’s information.Dylan Main