Threat Research

Threat Actors Persist in Employing HR-Related Phishing Strategies

Securonix

A Cofense Phishing Defense Center briefing analyzes a sophisticated phishing campaign that impersonates a company’s HR department to steal credentials. The attack chain starts with an HR-themed email, leads recipients to a fake login page, and then redirects to a legitimate-looking Microsoft/Okta login, aided by specific IOCs and reinforced by urgent, authority-driven psychology. #Cofense #HRPhishing #Office365 #Okta #MicrosoftLogin

Keypoints

  • Phishing attacks are evolving to impersonate trusted entities, targeting employees directly.
  • The subject “Important: Revised Employee Handbook” is used to grab attention and create urgency.
  • Formal language and deadline-driven directives increase the likelihood of quick user action.
  • Threat actors employ psychological tactics, including fear of non-compliance, to manipulate recipients.
  • Clicking the embedded link leads to a fake login page designed to capture credentials.
  • After credential entry, users are redirected to a legitimate-looking Microsoft/SSO login page, masking the intrusion.
  • Indicators of compromise include specific URLs and IP addresses associated with the campaign, aiding detection and response.
  • Defenses recommended include user awareness training and advanced email security solutions to mitigate risk.

MITRE Techniques

  • [T1566] Phishing – Threat actors impersonate trusted entities to deceive users into providing sensitive information. “Threat actors impersonate trusted entities to deceive users into providing sensitive information.”
  • [T1003] Credential Dumping – Capturing user credentials through fake login pages. “Capturing of Credentials: When you enter your company email address and press next, you are redirected to what looks like your company’s Microsoft Office 365 login page.”
  • [T1071] Redirection – Redirecting users to legitimate-looking login pages after capturing credentials. “You are then redirected to the actual company SSO/Okta login page, making you think there was a minor issue.”

Indicators of Compromise

  • [Domain] domains involved in the phishing infrastructure – hresourcinfo.henryscchein.com, revised-workbook.formstack.com
  • [IP] indicators of compromise – 104.236.9.231, and 3 more IPs (52.85.132.32, 52.85.132.40, 52.85.132.118)

Read more: https://cofense.com/blog/threat-actors-continue-to-utilize-hr-related-phishing-tactics

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint