Threat Research

Invoice – Themed Phishing Campaign Targeting Financial Workflows Amid Fiscal Year-End Activity – CYFIRMA

Cyfirma
Invoice – Themed Phishing Campaign Targeting Financial Workflows Amid Fiscal Year-End Activity – CYFIRMA

CYFIRMA identified an ongoing phishing campaign using invoice- and payment-themed emails with malicious PDF attachments and QR codes that redirect finance and procurement staff to credential-harvesting sites. The campaign employs multi-stage document-based delivery, reusable phishing templates, and rotating backend infrastructure to evade detection and sustain credential theft. #CYFIRMA #Quishing

Keypoints

  • Campaign targets finance and procurement roles using invoice, payment, and procurement-themed email lures with malicious PDF attachments.
  • Malicious PDFs use visual obfuscation (blurred/restricted content) and embedded links or QR codes to prompt user interaction and redirect to phishing sites.
  • Multiple phishing kits share consistent front-end templates while varying backend domains, hosting providers, and redirection logic for infrastructure rotation.
  • Activity increased around the financial year-end to exploit higher transaction volumes and audit/vendor reconciliation workflows.
  • Primary objective is credential harvesting via fraudulent login portals that mimic legitimate authentication pages, raising risks of unauthorized access and financial fraud.
  • Mitigations recommended include advanced email filtering and sandboxing, phishing-resistant MFA, conditional access, web filtering, targeted user training, and IOC monitoring.

MITRE Techniques

  • [T1566.001 ] Phishing: Spear phishing Attachment – Malicious PDF attachments delivered via business-themed phishing emails to initiate redirection to credential harvesting infrastructure (‘phishing email leveraging business-related themes and containing a malicious PDF attachment.’)
  • [T1566.002 ] Phishing: Spear phishing Link – Embedded links in documents redirect users through chained URLs to fraudulent login pages (’embedded elements such as links or QR codes, they are redirected to a phishing website.’)
  • [T1189 ] Drive-by Compromise – Redirection chains and externally hosted phishing pages serve as web-based compromise vectors following document interaction (‘redirection chains leading to phishing pages.’)
  • [T1204.002 ] User Execution: Malicious File – User interaction with PDF content (buttons, links, QR codes) is required to trigger the next-stage phishing page (‘Malicious PDF attachments serve as the primary payload delivery mechanism’).
  • [T1556 ] Modify Authentication Process – Attackers present fraudulent authentication interfaces that alter normal authentication flows to collect credentials (‘mimic legitimate authentication portals’).
  • [T1056.003 ] Input Capture: Web Portal Capture – Fraudulent login pages are used to capture user credentials via web forms (‘fraudulent login pages designed to harvest credentials’).
  • [T1110 ] Brute Force – Listed as an optional technique in the assessment (if observed) (‘Brute Force (if observed, optional)’).
  • [T1036 ] Masquerading – Emails and pages are crafted to appear as legitimate business communications and may use spoofed domains to blend in (‘delivered from external or potentially spoofed domains’).
  • [T1027 ] Obfuscated Files or Information – PDFs employ visual obfuscation (blurred or restricted content) to encourage interaction and evade inspection (‘content is intentionally blurred, restricted, or partially concealed.’)
  • [T1056 ] Collection: Input Capture – The campaign focuses on collecting user-entered credentials through staged web forms and fake portals (‘credential harvesting interfaces that mimic legitimate authentication portals’).
  • [T1621 ] Multi-Factor Authentication Request Generation – Threat actors may attempt techniques to bypass or manipulate MFA workflows to obtain or reuse credentials (‘more sophisticated methods for bypassing multi-factor authentication’).

Indicators of Compromise

  • [File Name ] Malicious document attachments used as intermediary payloads – invoice.pdf, payment_notice.pdf
  • [Domain ] Phishing and hosting domains used for backend infrastructure and rotation – spoofed-business.example, phishing-host.example
  • [URL ] Redirect chains to credential-harvesting pages that mimic login portals – hxxps://login.example, hxxps://pay.example
  • [QR Code ] Encoded URLs in PDFs that bypass email URL inspection and direct mobile users to phishing sites – QR directing to hxxps://login.example
  • [Email Sender ] External or potentially spoofed sender addresses used to deliver malicious PDFs – accounts@vendor-example[.]com, billing@supplier[.]example

Read more: https://www.cyfirma.com/research/invoice-themed-phishing-campaign-targeting-financial-workflows-amid-fiscal-year-end-activity/