Return to Office Security: Hackers Target Employees

Phishing Attacks Evolve with Return to Office

As COVID-19 related restrictions are eased and employees begin returning to office environments, cybercriminals are adjusting their strategies. For the past year and a half, remote workers were the primary focus for phishing scams, coinciding with the widespread adoption of work-from-home arrangements.

However, a recently detected phishing campaign is now focused on individuals who are resuming in-person work.

Campaign Details

This email-based attack, as reported by Cofense, involves emails seemingly sent by the targeted organization’s CIO, welcoming employees back to the workplace.

The emails are designed to appear authentic, featuring the company’s official logo and a forged signature mimicking the CIO. The message content details new safety measures and operational changes related to the pandemic.

Exploitation Tactics

Should an employee fall for the deception, they are directed to a webpage that resembles a legitimate Microsoft SharePoint site, hosting two documents branded with the company’s identity.

According to Dylan Main, a threat analyst at Cofense’s Phishing Defense Center, these documents are not genuine but serve as phishing tools designed to steal account credentials.

Upon interaction, a login prompt appears, requesting the recipient’s login details to access the files.

This approach differs from typical Microsoft phishing pages, which usually present an authenticator panel immediately. By presenting seemingly legitimate files and avoiding an initial redirect, attackers aim to increase the likelihood of users entering their credentials.

Deceptive Login Process

The attackers employ a further tactic of simulating failed login attempts. Initially, entering login information results in an “incorrect account or password” error message.

After several unsuccessful attempts, the user is redirected to a genuine Microsoft page, creating the illusion that their credentials were correct and granting them access to OneDrive documents.

In reality, the attacker has gained complete access to the compromised account.

Growing Trend

While this is among the first observed campaigns targeting returning employees – Check Point researchers identified another last year – it is unlikely to be an isolated incident.

With companies like Google and Microsoft encouraging staff to return to offices, and a PwC study indicating that at least 50% of employees are expected back by July, this type of attack is anticipated to become more prevalent.

Tonia Dudley, a strategic advisor at Cofense, explained to TechCrunch that threat actors will likely continue to exploit themes related to the return to work in their attacks.

Both remote and in-office workers will remain targets, as a hybrid work model is expected to become the norm.

Adapting to the Environment

Cybercriminals consistently adapt their methods to exploit current circumstances.

Just as the shift to remote work led to an increase in attacks targeting remote login credentials, it is expected that attacks on on-premise networks and office-based workers will increase in the coming months.