Hackers are targeting employees returning to the post-COVID office

With COVID-19 restrictions lifting and employees starting to make their way back into offices, hackers are being forced to change tack. While remote workers have been scammers’ main target for the past 18 months due to the mass shift to home working necessitated by the pandemic, a new phishing campaign is attempting to exploit those who have started to return to the physical workplace.

The email-based campaign, observed by Cofense, is targeting employees with emails purporting to come from their CIO welcoming them back into offices.

The email looks legitimate enough, sporting the company’s official logo in the header, as well as being signed spoofing the CIO. The bulk of the message outlines the new precautions and changes to business operations the company is taking relative to the pandemic.

If an employee were to be fooled by the email, they would be redirected to what appears to be a Microsoft SharePoint page hosting two company-branded documents. “When interacting with these documents, it becomes apparent that they are not authentic and instead are phishing mechanisms to garner account credentials,” explains Dylan Main, threat analyst at Cofense’s Phishing Defense Center.

However, if a victim decides to interact with either document, a login panel appears and prompts the recipient to provide login credentials to access the files.

“This is uncommon among most Microsoft phishing pages where the tactic of spoofing the Microsoft login screen opens an authenticator panel,” Main continued. “By giving the files the appearance of being real and not redirecting to another login page, the user may be more likely to supply their credentials in order to view the updates.”

Another technique the hackers are employing is the use of fake validated credentials. The first few times login information is entered into the panel, the result will be the error message that states: “Your account or password is incorrect.”

“After entering login information a few times, the employee will be redirected to an actual Microsoft page,” Main says. “This gives the appearance that the login information was correct, and the employee now has access to the OneDrive documents. In reality, the threat actor now has full access to the account owner’s information.”

While this is one of the first campaigns that’s been observed targeting employees returning to the workplace (Check Point researchers uncovered another last year), it’s unlikely to be the last. Both Google and Microsoft, for example, have started welcoming staff back to office cubicles, and some 75% of executives expect that at least 50% of employees will be back working in the office by July, according to a recent PwC study.

Threat actors typically adapt to exploit the global environment. Just as the shift to mass working over remote connections led to an increase in the number of attacks attempting to exploit remote login credentials, it’s likely the number of attacks targeting on-premise networks and office-based workers will continue to grow over the coming months.