Microsoft cautions against code of conduct-themed phishing campaign

Malicious actors are spicing up their phishing campaigns with bait designed to play off employees’ fears of violating their companies’ codes of conduct, according to the Microsoft Defender Research team.

In a May 4 blog post, Microsoft described the ploy as a multi-step “large-scale credential theft campaign” that uses “polished, enterprise-style HTML templates” to deceive users.

Over the course of two days in mid-April, 35,000 users from 26 countries were targeted by the phishing campaign, which Microsoft said relies on “concerning accusations and repeated time-bound action prompts” to create a sense of urgency. Nine in 10 (92%) of these users were based in the US, and worked in several industries, including retail, technology, and healthcare.

The TL;DR on the campaign. Microsoft said observed emails in the phishing campaign were sent using genuine email delivery services and subject lines like, “Internal case log issued under conduct policy.” If that wasn’t convincing enough, campaign emails also contained:

• A banner that stated the email was encrypted with Paubox, a real HIPAA-compliant email encryption solution.
• A notice stating the incoming message was “issued through an authorized internal channel.”
• An attached PDF with additional details of the faux review.

Users targeted by the campaign were alerted to an initiated code of conduct review and prompted to open the PDF attachment, containing a link that would trigger a credential harvesting flow—a cyberattack where attackers gain unauthorized access to a victim’s credentials—when clicked.

Plenty of phish in the sea. Phishing campaigns have become increasingly sophisticated in nature. IT Brew previously reported on the rise of calendar-invite phishing messages, for example, as well as a payroll pirate scheme aimed at the employees of educational institutions.

What’s an IT pro to do? Microsoft gave several recommendations to combat this latest phishing campaign, including suggesting that organizations invest in phishing simulations and enable passwordless authentication for eligible accounts: “Responders could also manually check for and purge unwanted emails containing URLs and/or subject fields that are similar, but not identical, to those of known bad messages.”