Salary Increase Update Sent to Steal Employee Credentials

Salary updates are a tactic often used by attackers, as human defenses are weakened when it comes to personal matters like an increase in wages. In this instance, attackers prey on this tendency alongside a note about it being the final update following the COVID-19 pandemic. To run the attack, threat actors contain it entirely in the HTML attachment, and display name spoofing is used to make recipients believe that it is being sent from the company’s payroll department.

The email address from which the attack was sent is valid and comes from a legitimate domain, and the entire attack is contained within the HTML attachment. As a result, it cannot be blocked by a company firewall or proxy, and the URL within the attachment itself is one that is never-before-seen by the platform. 

Behavioral systems are required to stop never-before-seen URL-based attacks that are unknown to threat intelligence-based solutions. Furthermore, content analysis and display name analysis in combination with the URL behavioral signals should be used to detect the urgency and tone elicited from the recipient. By understanding that this email uses display name deception and invokes a sense of curiosity in the recipient, a cloud email security platform can detect and block it before it reaches end users. 

If the target clicked on this attachment and then entered their OneDrive password, attackers would have full access to the Microsoft 365 account from which to uncover sensitive information or launch additional attacks. And if this attack reached multiple people within the organization, that could have ripple effects throughout the company as teams spend time tracking and remediating dozens of compromised accounts.