From Email to Exfiltration: How Threat Actors Steal ADP Login and Personal Data

MITRE Techniques

• [T1566 ] Phishing – Use of malicious emails to trick users into visiting a counterfeit site (‘the threat actor manipulates the user’s emotions by creating a false sense of urgency, claiming that the user violated certain terms and conditions, and urges them to log in immediately to resolve the issue.’)
• [T1566.002 ] Phishing: Link – Delivery of a malicious hyperlink that appears legitimate (e.g., includes ‘ADP’ in the URL) and redirects victims to credential-harvesting pages (‘the URL itself may appear familiar to the user because it includes ‘ADP’ in it, which can lead employees to trust and click without verifying its authenticity.’)
• [T1204.002 ] User Execution: Malicious Link – Attack relies on the user clicking a link in the email to initiate the compromise (‘In the urgency to resolve the issue, the user might click the ‘Click here’ hyperlink on the page.’)
• [T1056 ] Input Capture – Phishing pages collect credentials and personal data via fake login and verification forms (‘they will request personal information such as the user’s email address, phone number, date of birth, and Social Security number.’)
• [T1078 ] Valid Accounts – Stolen credentials and additional verification data are used to access victim accounts and sensitive resources (‘giving them full access to the victim’s account and personal data.’)
• [T1567 ] Exfiltration Over Web Service – Collected credentials and PII are transmitted to attacker-controlled web servers for later use (‘it will be exfiltrated to a web server hosted by the threat actor, giving them full access to the victim’s account and personal data.’)