Skip to main content

Criminals posing as HR departments to steal logins

(Image credit: Image source: Shutterstock/Ai825)

Security researchers from Cofense have identified a new phishing campaign that aims to steal corporate login credentials from newly remote workers.

The new campaign exploits Microsoft Sway, a “widely used” application that allows employees to generate documents such as newsletters and presentation decks.

Emails with subject lines such as ‘Employee Enrollment Required’ and ‘Remote Work Access’ are delivered to the victim, designed to look as if they originated with the company’s HR department.

Victims are asked enrol in a “Remote Operation Policy” via a real Sway link - exploited by the attackers - that leads to a mimic login page. The page then scrapes login credentials entered by the target.

Cofense believes fraud campaigns that aim to capitalise on the coronavirus pandemic will remain in circulation for the foreseeable future.

“As employees have rapidly shifted to remote working, threat actors have started to look at ways they capitalise on the Covid-19 pandemic to spoof new corporate policies and legitimate collaboration tools to harvest valuable corporate credentials, a trend we anticipate will only continue to gain steam in the foreseeable future,” said Cofense.