Mimecast emphasises the importance of user awareness training amid the recent detection of an HR bonus-themed phishing attack.
South African businesses are being targeted by an active credential harvesting campaign. The campaign uses compromised e-mail accounts to distribute HR-themed phishing messages that impersonate DocuSign and company-specific HR departments.
This is according to Mimecast’s Threat Research team, which identified the HR bonus-themed campaign that exploits year-end corporate processes.
Compromised e-mail accounts are used to send PDF attachments with embedded QR codes.
Mimecast says the campaign is particularly concerning due to its strategic timing and exploitation of legitimate business workflows – and while the full extent of its geographic impact is not yet clear, the cyber security company warns the South African market to be on guard. The Mimecast analyst team has clarified that it’s an emerging global threat at this stage so it doesn’t have enough numbers for SA to give ITWeb readers a deeper sense of how worried they need to be about it.
The company adds that this campaign demonstrates operational maturity through its use of geographically distributed compromised accounts, mobile device filtering and CAPTCHA bypass techniques to evade detection.
Mimecast explains that as organisations enter the final quarter of the year, HR departments across industries typically initiate bonus allocation, year-end performance reviews and benefits enrolment processes. Employees expect to receive legitimate communications about compensation, making them more susceptible to HR-themed phishing lures.
The threat actors have weaponised this expectation by crafting convincing messages that align with normal year-end corporate activities. The urgency implied in subject lines such as: “Let’s wrap up the year right – complete your bonus form!” exploits both the time-sensitive nature of year-end processes and employees’ financial interest in bonus information. This psychological manipulation significantly increases the likelihood of user interaction with malicious content, Mimecast notes.
According to Mimecast, the campaign operates through a multi-stage process:
1. Initial delivery: E-mails originate from compromised accounts, primarily using sender addresses associated with legitimate services and business domains.
2. Social engineering: Messages impersonate HR communications regarding bonus forms or year-end documentation.
3. PDF attachment: The e-mail contains a PDF attachment displaying the targeted organisation’s logo and HR branding to establish legitimacy.
4. QR code redirect: The PDF contains a QR code directing users to a credential harvesting portal.
5. Mobile targeting: Some variants employ filtering to ensure connections originate from mobile devices, where security controls may be less robust.
6. Credential harvesting: Users are redirected to a fake authentication page designed to capture corporate credentials.
Mimecast emphasises the importance of user awareness training, specifically to educate users to verify HR and bonus-themed lures rather than scanning QR codes, and on the risks of scanning QR codes from unexpected sources, particularly in e-mail attachments.
Furthermore, the company advocates training users to exercise heightened caution when accessing work-related content on mobile devices, where security indicators may be less visible.
It also advises businesses to conduct phishing simulations incorporating QR code scenarios, and search e-mail receipt logs and URL logs for technical indicators associated with these campaigns.
