Posted on June 2, 2021 at 1:25 PM
Workers are now resuming office after most regions have lifted the COVID-19 restrictions. However, recent reports revealed that threat actors are now targeting these employees in their offices.
Since the past year when workers had to work from home due to the pandemic, hackers changed their targets and focused on these workers. However, some of the threat actors are now launching new phishing campaigns aimed at those returning to post Covid-19 offices.
According to security firm Cofense, the email-based campaign sends emails to the returning employees, allegedly welcoming them back into offices.
The hackers made the email look genuine enough for their targets to believe them. It has the company’s official logo at the top and the signature of the chief information officer at the bottom.
The content of the email message informs the workers about the changes made to business operations and the new precautions workers need to follow, as it concerns the pandemic.
There is also a link in the email redirecting the worker to a Microsoft SharePoint page that hosts two company-branded files.
But on a more intent examination of the files, they are not genuine. They are set up by the hackers to be used as phishing mechanisms to gain credentials of their targets.
An uncommon Phishing practice
According to the threat analyst at Cofense’s Phishing Defense Center Dylan Main, the whole act of redirecting users is to have access to the victim’s login credentials.
When the user tries to open the document, a login panel pops up, prompting the user to enter their login details to have access to the document.
Main has called these tactics very rare, considering that most Microsoft phishing emails lead the target to another phishing page.
In this case, the threat actors make the file appear genuine, which increases the chance of the target providing login details to access the file. And in many cases, the user may be willing to supply the details to view the updates supposedly coming from their employer.
Using bogus validated credentials
Cofense has also reported that the threat actors are also exploring more options to steal user credentials. They are using fake validated credentials by rejecting the target’s login information several times. Once the target enters the details, a notification pops up stating, “Your account or password is incorrect.”
After a few other attempts, the target will be redirected to a genuine Microsoft page, which convinces them that the login detail was correct. The OneDrive document will now be accessible by the employee, but the threat actors have succeeded in gaining access to their account information as well.
This is not the first campaign discovered to be targeting returning employees, as CheckPoint researchers discovered one last year.
Additionally, it may not be the last campaign targeting the post-COVID workplace, as noted by Cofense.
Many organizations have drafted messages used in welcoming their employees back to their physical working environment in the organization. Some hackers may get hold of these messages and clone them to look real to their targets’ eyes.
Remote workers will still be targeted
Employees from top tech companies like Google and Microsoft have started returning to their workplace and the executives expect over 50% of them to be back by July. This leaves a window of opportunity for threat actors to take advantage.
Threat actors will probably leverage the themes these organizations will use to welcome their staff and try to steal user credentials through similar phishing attacks.
While some organizations have opened their offices to welcome their employees back, others are still observing the COVID-19 restriction. As a result, some threat actors will still focus on remote workers while trying out the new Theme on returning ones, according to the Strategic adviser at Cofense Tonia Dudley.
She added that a hybrid model of work is expected moving forward, both the returning workers and those still working from home will be targets for phishing attacks.