HR policy update phishbait.

Abnormal Security released research this morning on phishing attacks purporting to be from internal HR departments with policy updates in the new year.

Campaigns leveraging HR policy themes.

The first attack, a payload-based credential phishing attack, claims to be from the victim’s company Human Resources department informing them of updates to benefits packages. The email asks for the review of an “updated handbook,” which would lead to a credential harvesting login page imitating Microsoft. The other observed link-based attack presented itself as an internal HR email, announcing a new employee handbook containing a link directing to a credential harvesting page.

Higher success rate in HR-themed phishing attacks.

The success rate of these attacks is bolstered by the time of year in which they take place, and the emotional responses that these types of updates derive from recipients. Updates to medical benefits can elicit a need for urgency within the victim, given the impact insurance changes may have on them or their loved ones. The other maneuver threat actors utilize in these attacks is making specific requests of the “employee,” asking for the acknowledgement and signature of documents.