Found in Environments Protected By: Microsoft ATP
By Brandon Cook and Andy Mann, Cofense Phishing Defense Center
Companies around the world use surveys to gauge employees’ opinions on a wide variety of topics ranging from company values to where the next luncheon should be held. Surveys can be distributed in many ways, but the most known method is via email. For threat actors, this is a prime opportunity to strike.
The Cofense Phishing Defense Center (PDC) recently discovered and analyzed an employee engagement survey phishing campaign that attempted to harvest Microsoft Office 365 credentials. The threat actor took advantage of common business activities and sent out a fake questionnaire disguised as a mid-year engagement survey, to steal employee information.
The Cofense PDC has seen many types of HR phishing attacks in the past, but very rarely do we see a phish disguised as a mid-year engagement survey. Mid-year engagement is a common strategy employed by many organizations to see how they can improve. To add an air of authenticity, instead of taking an employee directly to the fake Microsoft Office 365 page directly, they are redirected to a webpage where they are asked to verify their full name to begin the “survey.”
Figure 1: Email Body
In this phishing email, the threat actor spoofed a legitimate company's domain to make it appear as though the email is coming from the recipient's HR department. Despite the domain having no actual connection to the recipient's company, the email is signed with the name "Human Resources," adding an appearance of authenticity. Vocabulary within the email is used to pressure the recipient into compliance, indicating that this is mandatory for all employees and will be very short, creating a sense of urgency.
The email features a "Begin Engagement Survey" button that, when clicked, redirects the recipient to a site designed to confirm their identity. This combination of urgency, authoritative language, and a seemingly legitimate request is crafted to lower the recipient's guard and prompt immediate action.
Figure 2: Phishing Page
After clicking the link, the recipient is taken to a website (Figure 2) that prompts them to enter their first and last name before clicking the “Begin Survey” button, despite the survey being described as "Anonymous and Confidential" in the initial email (Figure 1). While there are some surveys that do solicit identification, most of the time the link provided is unique to the recipient and does not require confirmation, or it will require email address confirmation. This is done so that these types of surveys can track usage, limit spamming of survey submissions, and/or send confirmation details to the submitter.
The identification page is hosted on the form-building site Wufoo, a platform whose services are sometimes exploited by threat actors for phishing purposes. Exploiting services such as this is a common tactic in phishing schemes due to their ease of use and familiarity to users. Additionally, the page lacks company mention or branding, which is a subtle indicator that is not legitimately sponsored by the recipient’s organization.
After entering a first and last name and clicking the button, the recipient will be redirected to the final page of the hoax.
Figure 3: Phishing Page
Once the user clicks the “begin survey” button, they are redirected to a page designed to resemble a Microsoft login (Figure 3). This is the most common login to be spoofed when it comes to credential harvesting. Despite the familiar appearance, the most glaring red flag is the URL, which reads "niiansesnet0.cfd"—a domain that has no association with Microsoft or the recipient’s organization.
This phishing campaign exemplifies how threat actors exploit not just urgency but also timing to deceive recipients. By impersonating legitimate sources like HR departments issuing mid-year engagement surveys, and using familiar platforms such as Microsoft, these attacks can potentially evade the untrained eye. However, inconsistencies, such as suspicious URLs and requests for personal information in supposedly anonymous surveys, can be key indicators of deception. Recognizing these signs is crucial for protecting against such schemes and preventing credential theft. Contact us to learn more.
Indicators of Compromise | IP |
hXXps://clt1703532[.]benchurl[.]com/c/l?u=1166D7BF&e=1877A0D&c=19FE6C&t=0&l=107C607F3&email=Ig8jAI8P3kHmjaKJTGnXrasuurYxDJrgWHs61jVkWo4%3D&seq=1 | 54.203.170.138 52.40.74.216 34.208.45.249 52.11.53.118 |
hXXps://hresign[.]wufoo[.]com/forms/m1ox5s7s02wbc10/?utm_source=BenchmarkEmail&utm_campaign=August_6_Newsletter&utm_medium=email | 108.138.85.8 108.138.85.5 108.138.85.59 108.138.85.106 |
hXXps://niiansesnet0[.]cfd/m/?c3Y9bzM2NV8xX25vbSZyYW5kPWRrNVdWalU9JnVpZD1VU0VSMjgwNjIwMjRVTklRVUUwMzEzMDYyODUwMjAyNDIwMjQwNjI4MTMwMzUwN0123N | 172.67.207.227 104.21.22.247 |
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.