Employee Benefits Eligibility Lure Used to Phish for Email Credentials

While executives are typically the most impersonated individuals, there is an increasing trend of attackers impersonating internal systems and departments to run their scams. In this attack, threat actors impersonate an organization’s HR department using the pretext of delivering an update on the Employee Benefits Eligibility Policy, asking recipients to view an HTML attachment in order to review and approve the compliance section.

Upon opening the HTML attachment, the victim is presented with a credential phishing page that appears similar to a Microsoft login screen. There, they are asked to sign in with their Microsoft 365 password. 

This email is sent from a gmx.net email account, a free email service similar to Gmail. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC. In addition, the email does not contain an attachment with malicious code—it is only upon further analysis that the phishing link is discovered.

Understanding the context around this attack is important, as the email address has not previously communicated with the target organization. Furthermore, the sender display name is different from the email address, and the recipient has never before received emails with a HTML attachment type. Further attachment analysis discovers that it is likely a phishing email due to the fact that the file requests a password. 

Knowing that employees will be interested in changes to their benefits eligibility, attackers use social engineering to scam their targets and secure credentials. Should an employee fill out this form with the correct password, attackers would have access to the Microsoft 365 account, from which they can gather information, move laterally across applications, or send additional attacks to other employees, vendors, and customers.