Sublime Security Attack Spotlight: Year-end credential phishing attacks.

We know the holidays can be stressful. With that in mind, we decided to lighten up the mood a bit and have some fun with this credential phishing post. We hope you enjoy learning about these year-end attacks.

It’s the holiday season here in the US, and for a lot of you, it means that while the turkey gets roasted, you get grilled. Global politics, life choices, career path, all fair game once the wine hits the table. This year, pivot family concerns about your life into your concerns about their email security.

Now’s the time that certain year-end phishing attacks start to pop up, and a holiday gathering can be an opportunity to help your family stay safe from scammers. So the next time an uncle asks, “So when are you going to settle down and start having kids,” you can respond with, “That’s a great question, but an even better question is, ‘How safe are you from email scams?’”

Let’s take a look at a few common phishing techniques that have started hitting inboxes.

Open enrollment

The end of the calendar year is a common time for open enrollment in health insurance plans and scammers will use this as an opportunity to slip a phishing attempt past security controls. Employees can receive legitimate enrollment emails from a variety of sources: human resources (HR) representatives, HR systems (ex: Workday), managers, insurance companies, non-insurance benefits companies, document signing services, and more. That volume and variety creates room for attack

Attackers will use standard HR verbiage in the subject and body to make it look like familiar, corporate boilerplate, but when that standard language is contrasted with suspicious signals within the email, the malicious intent becomes obvious. Here are some common signals we’ve detected in these phishing attempts:

  • Authoritative display names: The display name on the email will imply authority and authenticity even if the address does not.
  • Brand impersonation: Brands associated with open enrollment are imitated within the email subject or body. Imitations appear within sender/reply-to addresses, body and subject copy, images, links, and attachments.
  • QR codes: Attackers will commonly hide malicious links within QR codes. Legitimate open enrollment emails typically do not contain QR codes.

Here’s the investigation view from a recent phishing attempt that Sublime detected and prevented. In this attack, an impersonated Adobe Acrobat email was sent from an impersonated HR team member requesting a signature on an attached Employee Benefits Enrollment PDF.

Raises and bonuses

Successful scams need good bait, and there's no better bait than money. Attackers know this and will use the excitement of a year-end raise or bonus to phish credentials from the unsuspecting. Much like the open enrollment attacks, these attacks will impersonate commonly recognized titles and systems in order to reach the target’s inbox.

With this type of attack, the subject will include enticing language like “salary increase” or “bonus distribution” along with standard impersonation techniques. Some common signals in this attack are:

  • Suspicious attachments: Attachments are fairly standard in this type of scam. Sublime scans attachments for suspicious verbiage, links, QR codes, and more.
  • Suspicious document notifications: Attackers will create legitimate accounts on commonly used services in order to send automatic notifications. This is an important signal when paired with sender/reply-to information as well as the subject and body language.

In this example, the attacker used a legitimate Docusign account to deliver an attack under the guise of a salary increase. The Review Document link led to a Docusign that contained the malicious phishing link:

To learn more about how attackers use legitimate services to deliver malicious payloads, read our blog Living Off the Land: Credential Phishing via Docusign abuse.

Annual reviews

While bonus notifications may get priority, annual reviews are an inevitability. Just like the other year-end scams, targets are expecting these emails. Not only are they expecting them, they know that there is an impending due date. Open enrollment will often automatically re-enroll people, so some get ignored. Salary increases happen with or without a signature. But annual reviews need to be submitted on time.

Additionally, reviews don’t just occur at the personnel level, but also at the corporate level. Certain certifications require companies to go through a renewal process every year, which now opens the company to year-end attacks.

In this example, the attack draws on all the standard authority and imitation approaches to deliver a innocuous message with an HTML attachment that facilitates credential phishing. First, the message:

This is a standard looking renewal email with an attached “certification document”. While this may not necessarily appear suspicious to the target, Sublime flagged it quickly.

Before getting into the attachment, we can see that this message BCC'd all the recipients (hence the blank Recipients field above). Moreover, it was sent from a domain that had only recently been registered, a common practice by attackers. But most dangerously, the attached HTML contained obfuscated JavaScript which, when executed, creates a login form for harvesting credentials.

Login rendered by the obfuscated JavaScript within the HTML attachment

If you’re really trying to pivot a conversation with a family member over dinner, this one might be the perfect way to deflect, educate, and likely prevent further conversation. For example, “No, I hadn’t heard that the government is using airline food for mind control. But have you heard that hackers are using HTML email attachments to smuggle malicious JavaScript snippets onto targeted systems?”

Leave the phish, take the turkey

Now that these year-end phishing examples have given you an idea of what we're detecting and preventing here at Sublime, we encourage you to share what you know with your family over the holidays to keep them safe from the scams that are always lurking. You can even sign them up for a free Sublime account. Sublime works just as well (and as seamlessly) for individuals as it does for large companies.

And really, a family is just a company you can’t be fired from. Happy holidays!

About the Author

Brandon Murphy

Detection

Brandon is a Threat Detection Engineer at Sublime. He is a seasoned cybersecurity professional with over a decade of experience protecting internet users. Prior to Sublime, Brandon put his detection engineering expertise to use as a Sr. Staff Threat Analyst at Proofpoint.

Get the latest

Sublime releases, detections, blogs, events, and more directly to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.