On May 23, 2023, Cofense researchers reported a phishing campaign with threat actors leveraging paid time off (PTO) and vacation requests as a lure theme.
Context
The report is based on a Phishing Defence Center (PDC)-reported a phishing campaign where threat actors sent emails to users claiming to be from ‘HR Departments’ and providing the users with links to submit annual leave requests.
Technical Details
The campaign’s infection chain proceeds as follows:
- “The user is informed via email that they must log in to their HR portal to verify their dates of annual leave.”
- “Once the user selects the URL in the email, they will be directed to the login page.”
- The login page mimics the targeted employee’s company login page with branding and color schemes.
- “Once the user has entered and submitted their credentials to the form, it will fail on the first two attempts. This is a technique used by the threat actor to ensure the user is typing the password correctly or to use a different password in an attempt to gather multiple credentials. At the third attempt, the credentials will appear to have been processed successfully and the user is redirected to the company’s legitimate home page.”
Community Impact
Given the approach of summer, it is likely that similar phishing lures will become more widely used in the next months. The lure, when combined with skillfully crafted malicious login pages, could help similar campaigns to be more effective in harvesting employee credentials. Organizations are encouraged to promote cybersecurity awareness among employees, especially phishing tactics awareness.
IOCs
Cofense researchers provided the following indicators of compromise (IOCs):
Indicator | Type |
hXXps://prod-api[.]mailtag[.]io/link | URL |
hXXps://20se-infura–ipfs-io[.]translate | URL |
34[.]211[.]43[.]45 | IP Address |
52[.]35[.]199[.]214 | IP Address |
172[.]253[.]122[.]132 | IP Address |
