Threat Research

Beware of Phishing Scams Disguised as Annual HR Tasks | Cofense

admin

Threat actors are leveraging routine HR communications—open enrollment, 401k statements, employee surveys, and compensation notices—to deliver credential-phishing payloads via links, attachments, and QR codes. These emails often spoof HR departments and include company-specific details to increase legitimacy. #Cofense #QRcode

Keypoints

  • Attackers use HR-themed lures (open enrollment, 401k updates, surveys, salary adjustments) that employees expect and are likely to engage with.
  • Common delivery mechanisms include ZIP attachments containing HTML credential stealers, direct phishing links, and QR codes that redirect to phishing sites.
  • Emails frequently spoof internal HR or include the recipient’s company name in subject, body, and attachments to increase trustworthiness.
  • QR code-based phishing has risen sharply and is commonly used to push victims to mobile phishing pages where credentials are collected.
  • These campaigns reach targets with few technical barriers, relying largely on social engineering and user interaction to succeed.
  • Phishing volume tied to HR lures can occur year-round but often spikes around organizations’ enrollment or fiscal cycles.

MITRE Techniques

  • [T1566] Phishing – Use of HR-themed emails to obtain credentials via links, attachments, or QR codes (‘credential phishing’, ‘leads to a malicious link that is phishing for credentials’).
  • [T1566.001] Spearphishing Attachment – Delivery of a ZIP archive containing an HTML file designed to capture login data (‘includes a ZIP archive attachment that contains an HTML file used to steal login credentials.’).
  • [T1566.002] Spearphishing Link – Embedding malicious links (including QR code redirects) that direct victims to credential-harvesting pages (‘the QR code leads to a malicious link that is phishing for credentials’).
  • [T1204.001] User Execution: Malicious File – Relying on users to open attachments (HTML inside ZIP) which then prompt credential entry or load phishing content (‘ZIP archive attachment that contains an HTML file used to steal login credentials.’).
  • [T1036] Masquerading – Spoofing HR departments and inserting company names in subject/body/attachments to appear legitimate (‘spoofed a human resource department’, ‘includes the name of the company that the recipient is employed with in the subject, attachment, and email body.’).

Indicators of Compromise

  • [Attachment] ZIP with embedded HTML – example: “ZIP archive attachment that contains an HTML file used to steal login credentials” (no filename provided).
  • [QR code redirect] Mobile phishing link – example: QR code leading to a malicious link that is phishing for credentials (specific URL not disclosed).
  • [Domain / Source] Cofense blog and images – https://cofense.com/blog/threat-actors-taking-advantage-of-hr-initiatives/, image examples: https://cofense.com/wp-content/uploads/2024/01/Figure-1.png, https://cofense.com/wp-content/uploads/2024/01/Figure-2.png, and other image assets.

Attack flow (technical focus): Threat actors craft targeted HR-themed emails (open enrollment, 401k updates, surveys, compensation notices) and populate them with familiar company identifiers to reduce suspicion. The emails deliver payloads via either a ZIP attachment that contains an HTML credential harvester or embedded links; increasingly, QR codes are used to redirect victims—often to mobile-optimized phishing pages—where users are prompted to enter login credentials.

Attachment-based campaigns typically rely on a compressed archive (ZIP) that contains an HTML file which, when opened, presents a login form or redirects to an external credential-capture page. Link-based and QR-based campaigns use short-lived or obfuscated URLs to host phishing pages; QR codes bypass desktop link inspection by encouraging mobile scanning and direct navigation to the phishing site. All approaches depend on user interaction (opening the attachment, clicking the link, or scanning the QR) to complete credential theft.

Defensive considerations implied by the techniques include enforcing strict email filtering for compressed attachments, scanning archived HTML files, monitoring and blocking known phishing redirect domains, tracking QR code usage in phishing reports, and reinforcing timely user training and expected communication schedules so employees can better distinguish legitimate HR notices from spoofed messages.

Read more: https://cofense.com/blog/threat-actors-taking-advantage-of-hr-initiatives/