According to experts, cybercriminals are trying to steal logins and passwords from corporate email accounts in this way. The peculiarity of this campaign is that not only the texts of the letters are individualized, but also the attachments.
In the detected mailings, the recipient is addressed by name both in the letter itself and in the attached file, which the potential victim is invited to read. The document allegedly contains information about remote work protocols, security standards and available benefits for employees. To lull the vigilance of the addressees, the attackers add a fake "verified sender" mark to the body of the letter. However, the entire message is not text, but an image. Attackers use this technique in an attempt to bypass mail filters.
The Laboratory said:
In reality, the attached file called "Employee Guide" does not contain the promised information - only the title page, table of contents and a section with a QR code, which allegedly leads to the full version of the instructions. Phrases have been added to the guide to convince the user that this document is definitely for him.
If the victim scans the QR code and follows the link, they will be taken to a fake page that mimics the authorization form in Microsoft services, where they will be asked to enter their corporate email login and password. In this way, attackers are trying to steal this data.