Back to All Research

Phishing Attacks Pose as Updated 2023 HR Policy Announcements

Threat actors are capitalizing on the new year, posing as human resources officials to send credential phishing attacks.
January 19, 2023

Now that 2022 has rolled over to 2023, employees can expect to receive emails from various internal departments about new programs that have taken effect in the new year. Whether it’s new benefits packages, updated corporate policies, or exciting company initiatives, a new year brings new changes, which are typically announced via company-wide emails.

But just like we see cybercriminals leverage the holidays or notable global events to add more temporally-relevant context to their attacks, bad actors are now exploiting the transition to the new year. In recent attacks stopped by Abnormal, these phishing campaigns contain themes related to updated HR policy announcements and include links and attachments that are then used to steal employee credentials.

Based on our research at Abnormal Intelligence, here are a few recent campaigns that have incorporated this theme, including information about why the content of these phishing attacks could result in a higher success rate.

Beware of Benefits: Payload-Based Credential Phishing Attacks

In this payload-based credential phishing attack, employees receive what appears to be an internal company announcement from the human resources department, informing them of a new employee benefits package. The message states that the new benefits package is now available for review and the recipient is asked to review the policy changes in an attached file named “Employee Docs.shtml.”

To pressure action, the message indicates that the recipient must immediately sign the attached document to acknowledge that they’ve reviewed the new handbook. Included in the email is an otherwise unnecessary sentence used to increase credibility that states, “The purpose of this policy is to maintain a compensation philosophy that is competitive and financially responsible while supporting service delivery, recruitment and retention of employees at [Company Name].”

The email was sent from a likely compromised external account unrelated to the target organization. The sender’s display name was set to the name of the target company rather than an employee, which makes the message look like it was generated by an automated internal system.

HR Policies Phishing Attacks Payload Based Phishing Email

Payload-based phishing email with an updated employee benefits theme

Upon clicking the attachment, a local copy of a phishing page that mimics a Microsoft login page opens in the browser and pre-populates with the recipient’s company email address. The login prompt includes a message stating that, because the recipient is accessing sensitive information, they need to verify their account password to authenticate their identity.

The use of the Microsoft login page adds credibility to the attack, as an unaware user may simply believe that the company cares about the security of the attached file.

HR Policies Phishing Attacks Phishing Page Rendered by SHTML Attachment

Phishing page rendered by SHTML attachment

To prevent easy analysis of the file, the source code of the SHTML attachment was obfuscated with JavaScript.

HR Policies Phishing Attacks Obfuscated Source Code of Attachment

Obfuscated source code of phishing attachment

Because this email was sent from a legitimate account that has been compromised and thus does not have a history of abuse, there are no direct signals indicating the email’s origin is malicious.

IOCs associated with the HTML attachment, such as file hash, had not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. And because the files associated with this attack contained source code that had been obfuscated, an analysis of the file to identify malicious artifacts (such as URLs) could not be performed.

Heed the Handbook: Link-Based Credential Phishing Attacks

In this second attack, the initial email poses as an internal announcement from the company’s human resources department highlighting a recent update to the corporate employee handbook and guidelines.

The message states that all employees need to acknowledge that they have reviewed the new guidelines by the end of the week. The email uses peer comparison to drive the recipient into action, stating, “As of this morning, approximately 75% of our employees have acknowledged and we are looking to get all records updated.”

A link to the “handbook” is included in the email, but because the link is masked behind text, the destination URL is only visible by hovering over the link. In this specific example, the email is sent from an external Gmail account and the sender’s name is displayed as “Human Resource” rather than an employee’s name, which made the message look like an official, automated HR email—though the attacker did forget to include the “s” in Resources.

HR Policies Phishing Attacks Link Based Phishing Email

Link-based phishing email using an updated employee handbook theme

Had the recipient clicked on the link in the message, they would have been directed to a phishing page. Instead of posing as an account login page, this page instructs a recipient to enter their name and email credentials in order to verify their identity and download the updated employee handbook. The phishing page is hosted on a domain likely registered by the attacker, which mimics the domain of a healthcare company unrelated to the targeted organization.

HR Policies Phishing Attacks Phishing Page

Phishing page mimicking employee identity validation

The URL found in the email is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. Further, this email was sent from a Gmail account—a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks.

Context is Key in Social Engineering Attacks

The timing of these campaigns is not the only important aspect, as both examples also employ certain behavioral tactics that increase the likelihood of success. Threat actors play on human emotions, and they knew exactly what themes would likely work in this instance.

First, by using text related to updated medical benefits and new policies, targeted employees are more likely to take an interest, as they will want to know about any changes that may affect them or their families.

Most phishing messages exploit human emotions, such as fear, anxiety, trust, or reward; however, the most successful attacks incorporate themes that make a target feel personally impacted by the message. For instance, an email stating an employee needs to update their password is less likely to be successful than an email related to benefits or payroll. Just ask anyone who conducts security awareness campaigns what the click rate looks like for exercises that discuss employee bonuses!

Another effective tactic used by these attacks is the use of direct and specific requests for the employee to complete. Instead of merely mentioning that employee benefits have been updated, both of these attacks specifically ask recipients to review a document and electronically sign to acknowledge they’ve seen the updates.

Additionally, the link-based attack also includes a component of peer pressure, which may make the target feel compelled to complete the request in order to conform.

Stopping These Attacks Before They Target Your Employees

Simply knowing that these attacks are likely to target your organization is not enough, and employees should not be required to make the final decision on whether an email is legitimate or malicious. Instead, security leaders must prevent these attacks from reaching inboxes—so employees never have to even think about them.

Tools like Abnormal can help prevent these attacks and others like them, no matter which themes are used or how the attack is delivered. By understanding the identity behind the email sender, the relationship that the sender has with the organization, the intent of the link or attachment, and the content of the email itself, behavioral AI models can detect when a suspicious email is received and prevent end users from interacting with it.

In both of these cases, inputting credentials would provide the attackers with keys to the entire mailbox—as well as any other Microsoft applications associated with it including Teams, OneDrive, and SharePoint. Not only would attackers be able to use the mailbox to send additional attacks, but the risk here is particularly high for recipients who may have access to sensitive information in those cloud-based applications.

As attackers change their methods and rely on social engineering to trick employees, security is more important than ever. The best way to stay safe? Stop these attacks before they reach you or your employees.


To see more examples of notable attacks detected by Abnormal with insights into how each attack bypasses legacy defenses and how they can be detected, visit the Abnormal Intelligence Attack Library.

To discover more about how Abnormal stopped these human resources-themed attacks and others like it, schedule a demo of the platform today.

B AI Threat Intel Phishing Attacks HR Policies

See How Abnormal Stops Emerging Attacks

See a Demo

Get the Latest from Abnormal Intelligence

Subscribe to our monthly newsletter to receive the latest insights from our team directly in your inbox.