Return to offices means new opportunities for phishing

The move to home working provided new opportunities for phisherfolk, but as many people start to return to their offices the attackers are pivoting to exploit that too.

A new report from email phishing protection specialist INKY shows attacks are capitalizing on vulnerability and the desire for accurate information about returning to the office in-person.

A common tactic is to use emails that appear to come from the HR department, supposedly asking employees to take a survey about their willingness to get a COVID-19 vaccination. Other lures include messages seemingly from CEOs about compliance requests or rule changes.

"The use of dynamic algorithms that impersonate employers makes these very effective. The algorithms work by extracting features (name, domain name) from a recipient's email address and using them to create personalized phishing emails," Bukar Alibe, data analyst at INKY say . "For example, an email sent to [email protected] could look like 'Hi Roger, Please review Example's new return-to-work guidance. Regards, Example HR Department'. A new phishing kit (LogoKit) uses the same tactic to retrieve a company's logo from Google's favicon database to build personalized phishing sites in real time that adapt to each victim."

Attackers are also using links hosted on legitimate cloud services in order to avoid detection and make their attacks more likely to succeed.

Alibe adds, "Malware and malicious links hosted on legitimate cloud services (GoogleDocs, Microsoft SharePoint, Adobe Spark) were an initial challenge for us. Bad actors deliver phishing content through these sites because they are highly reputable and don't appear in threat intelligence feeds. To detect this new threat, we created a model that extracts features (topic, origin, links, attachments) and transforms them into signals used to separate safe HR emails from malicious ones."

You can read more on the INKY blog.

Image Credit: wk1003mike / Shutterstock