While executives are typically the most impersonated individuals, there is an increasing trend of attackers impersonating internal systems and departments to run their scams. In this attack, threat actors impersonate an organization’s HR department using the pretext of delivering an update on the Employee Benefits Eligibility Policy, asking recipients to view an HTML attachment in order to review and approve the compliance section.

Status Bar Dots
Image2

Upon opening the HTML attachment, the victim is presented with a credential phishing page that appears similar to a Microsoft login screen. There, they are asked to sign in with their Microsoft 365 password. 

Status Bar Dots
Image1

Why It Bypassed Traditional Security

This email is sent from a gmx.net email account, a free email service similar to Gmail. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC. In addition, the email does not contain an attachment with malicious code—it is only upon further analysis that the phishing link is discovered.

Detecting the Attack

Understanding the context around this attack is important, as the email address has not previously communicated with the target organization. Furthermore, the sender display name is different from the email address, and the recipient has never before received emails with a HTML attachment type. Further attachment analysis discovers that it is likely a phishing email due to the fact that the file requests a password. 

Risk to Organization

Knowing that employees will be interested in changes to their benefits eligibility, attackers use social engineering to scam their targets and secure credentials. Should an employee fill out this form with the correct password, attackers would have access to the Microsoft 365 account, from which they can gather information, move laterally across applications, or send additional attacks to other employees, vendors, and customers.

Analysis Overview

Vector

Payload-based

Goal

Credential Theft

Tactic

Free Webmail Account
Spoofed Display Name