Cofense - Security Awareness Training & Email Threat Detection

Dept. of Labor Phish Appears for the Month of December

Share This Article
“Phish Found in Environments Protected by SEGs” Microsoft Proofpoint  By Alex Geoghagan, Cofense Phishing Defense Center Impersonating a government entity is a relatively common practice for threat actors to attempt. Through this impersonation a threat actor seeks to gain trust or authority in an interaction with a potential victim. Recently, the Cofense Phishing Defense Center (PDC) has analyzed a phishing campaign that impersonates the United States Department of Labor. In this specific campaign, the threat actor also tries to push a financial incentive with the lure of an “INVITATION FOR BID” through the Department of Labor.

Graphical user interface, text, application Description automatically generated

Figure 1: Email Body

Seen in Figure 1, the threat actor was able to spoof the from address to increase the level of authenticity. Seen in the body, the email itself is structured to look like an RFP for “ongoing government projects.” The recipient is prompted to open a PDF attachment for information and directions for the bid invitation. A recipient who opens the attachment without realizing that this is not a legitimate government communication will be presented with a PDF document that contains a link to the phishing website.

Diagram Description automatically generated

Figure 2: PDF Attachment

The PDF, shown in Figure 2, is carefully crafted to lend credence to the scam, as well as to apply pressure with time sensitivity by reminding them of a “10:00 A.M.” deadline. It contains a list of instructions for filling out information that will allegedly be used to apply for the bid, however, this is simply done to make the phish appear to be more legitimate. The “BID” button contained within the PDF is the true goal of the threat actor, as clicking on it will direct the recipient to a fraudulent Department of Labor site.

Graphical user interface, website Description automatically generated

Figure 3: Phishing Page

The fraudulent page, Figure 3, is almost a 1:1 of the legitimate Department of Labor’website at Even with the domain, openbid-dolgov[.]us, the threat actor crafted it to be believable to the untrained eye. Upon reaching this page there will be a small popup that reiterates the instructions that are contained in the PDF. This page also contains a “Click here to bid” button that takes the recipient to the phishing page requesting their credentials, as seen in Figure 4.

Figure 4: Phishing Page

Oddly enough, the threat actor has specifically asked for either their Microsoft Office 365 credentials OR their business email credentials (widening the net to collect anything the user might be willing to divulge). Once the credentials are submitted, the user is redirected to practically the exact same page, but it is asking the user to solve a captcha instead of signing in. An interesting note added to the page is reassuring the recipient their data will be cleared within five minutes, most likely mimicking the legitimate bidding site. A communication appearing to come from a government source may also be seen as more official, especially if the attacker is able to spoof a .gov email address. With how carefully crafted it is, this phish can pose a threat to any email environment, even ones protected by a secure email gateway (SEG). With the help of watchful users reporting suspicious email, analysts at the PDC can quickly identify threats like this one, and enterprises can benefit from our entire view of the threat. Reach out to us to learn how we can help you.
Indicators of Compromise IP
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.