Article contributed by Ethan Fite
Cyderes SOC has identified a new global phishing campaign exploiting themes of new employee handbooks.
This campaign has been observed across multiple organizations, leveraging highly targeted PDFs containing company branding, and phishing payloads nested behind CAPTCHA checks to avoid detection. The attackers aim to steal credentials or deliver malware via QR codes embedded in the document.
Organizations must act immediately to mitigate this threat, leveraging email security enhancements, end-user training, and robust threat intelligence sharing.
Key Characteristics of the Campaign and Payload Analysis
1) Subjects (Examples)
- Employee Handbook For All [COMPANY] Employees Ref THEPCR
- Employee-Handbook For All [COMPANY] | Ref ZKTKEF
- Revised – [COMPANY] Handbook
2) Senders (Examples)
- Noreply - [COMPANY] Automated Notification [COMPANY]_notice8282.automated.onmicrosoft.teams@visionlateral[.]cl
- [COMPANY] mike@asnysecurity[.]com
- [COMPANY] directdebit@tokyofood[.]co[.]nz
3) PDF Attachments (Examples)
- Revised - [COMPANY] EmployeeHB5107.pdf
- [EMPLOYEE NAME].pdf
- Revised-[COMPANY] Handbook 37392.pdf
4) Observed URLs (Defanged)
- hxxps://home[.]coxsbazartimes24[.]com/?WOEvb=ix&newblaw11=
- hxxps://confirm-ruoytnuoccawon[.]federalappstorage[.]com
- hxxps://xwe[.]soundestlink[.]com/ce/c/6761b7da0bb04571be0199f7/6761ed3e07a24e80c1b1baa7/6761ed5af9a08fb1fbc2b344?signature=d885c666c5e36849e8bcc98aeb83799b5e230a4dc9aeaebfa3adc8b9eb109ad4
5) PDF Characteristics
- Page 1: Target-specific company logo and introductory text about the new handbook.
- Page 2: Generic bullet list of the handbook’s table of contents.
- Page 3: Instructions referencing a new company policy and a QR code that redirects to a phishing payload.
- Payloads: Differ for each target, often leading to credential harvesting or malware download.
6) Post-QR Code Payload
After scanning the QR code in the phishing PDF, victims are directed to a CAPTCHA verification page. This added layer serves multiple purposes:
- Legitimacy: The CAPTCHA makes the process appear authentic.
- Detection Bypass: CAPTCHA may prevent automated security tools from analyzing the payload.
7) Behavioral Analysis
- Identified Visitors: Redirected to legitimate websites such as yahoo.com or google.com.
- Unidentified Visitors: Redirected to Microsoft-branded credential harvesting pages.
Recommended Mitigations
1) Email Security Gateway Configuration
Create a custom policy to detect and quarantine emails with the following patterns:
- Subject Line Keywords: “Employee Handbook,” “Revised Handbook,” “For All Employees,” “Ref [alphanumeric code],” “[COMPANY NAME].”
- Attachment Filenames: Use pattern-based detection to flag filenames including terms like “EmployeeHB,” “Handbook,” or alphanumeric references.
- Sender Domain Analysis: Alert on discrepancies between sender display names (e.g., “[COMPANY NAME]”) and sender domains.
2) Block QR Code URLs
Use web filtering solutions to proactively block access to URLs associated with malicious QR codes. Analyze any URLs for suspicious patterns or redirects.
3) Educate Employees
Conduct phishing awareness training focusing on:
- Identifying suspicious subject lines and senders.
- Verifying handbook communications through internal HR channels.
- Avoiding QR codes in unsolicited documents.
4) Enhanced SOC Monitoring
Deploy threat hunting techniques to identify and analyze:
- Emails with targeted PDFs.
- URL click-through behavior from QR code scans.
- Post-compromise indicators such as unusual login activity.
5) Collaborate on Threat Intelligence
Share IOC data and observed attack patterns with trusted partners, and threat intelligence platforms to enhance collective defense.
Call to Action
Cyderes customers should implement these updated recommendations to enhance their defenses. Contact the Cyderes SOC at support@cyderes.com for further assistance.
Stay vigilant,
Cyderes Security Operations Center
Ready to put these insights into practice and improve your ongoing security posture?
For more cybersecurity tips, follow Cyderes on LinkedIn and X.