Payroll Impersonation Designed to Elicit Quick User Response in Credential Phishing Attack

Threat actors often use information about salary and payroll as a hook to trick recipients into completing the desired action, and this works especially well when it comes to salary and payroll. In this email, the attacker provides the target with a link to a paystub registration via what appears to be an encrypted Microsoft email. Legitimacy is added through display name deception, with the from name presented as Microsoft Safe Servers®, complete with the registered trademark symbol. Upon clicking the HTML document, the user is directed to a credential phishing site that looks similar to the Microsoft login page.

This attack is sent from a legitimate domain and the entire attack is contained within the HTML attachment so it cannot be blocked by the company firewall. The URL within the attachment is not one that has been seen before, so it cannot be detected as malicious by threat intelligence-based systems. 

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis and display name analysis, a cloud email security platform understands when an email may be malicious. 

Because this email is related to pay, it might cause even the most diligent employees to click to open the Excel file, despite the number of grammatical errors included. Once an employee enters their Microsoft credentials, attackers have full access to the account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.