Hackers Mimic as Company’s HR to Trick Employees

Hackers are now impersonating company Human Resources (HR) departments to deceive employees into revealing sensitive information.

This latest phishing tactic highlights the increasing sophistication of cyber threats, leveraging trust and urgency to exploit corporate environments.

In this article, we dissect the mechanics of this phishing attempt and provide insights to help employees recognize and avoid falling victim to such scams.

The Anatomy of the Phishing Email

The phishing email in question has been detected in environments protected by Google, Outlook 365, and Proofpoint.

It is crafted to resemble an official communication from a company’s HR department, complete with a subject line that demands attention: “Important: Revised Employee Handbook.”

This subject line is designed to create a sense of urgency, prompting recipients to open the email without hesitation. 

phishing email(source: cofense)

Inside, the email uses formal language and a structured format typical of corporate communications.

It begins with a polite greeting and quickly transitions into a directive to review a revised employee handbook.

Download Free Incident Response Plan Template for Your Security Team – Free Download

The email stresses compliance by a specific deadline, usually by the end of the day, to heighten the urgency and importance of the message. 

The primary objectives of this phishing email are twofold: to lure recipients into clicking on an embedded hyperlink and trick them into entering their credentials on a fake login page.

By appearing to originate from Handbook, a trusted source, the email leverages authority and urgency to persuade recipients to take immediate action without questioning its authenticity.

Psychological Manipulation Tactics

As per a report by Cofense, the threat actors behind this phishing campaign employ psychological tactics to manipulate recipients.

They play on fears of non-compliance with company policies and promise significant changes outlined in the handbook.

Revised Employee Handbook( source:cofense)

This manipulation aims to override natural skepticism and caution when handling unsolicited emails.

The email contains a hyperlink masked as the “HR COMPLIANCE SECTION FOR REVISED EMPLOYEE HANDBOOK.” Clicking on this link redirects recipients to a page miming a legitimate document hosting site.

Here, they are presented with a “PROCEED” button, which leads them further into the trap. Upon clicking “PROCEED,” users are redirected to a page branded by Microsoft.

This is where the phishing attack becomes more sophisticated. The page asks for Microsoft credentials and looks convincingly legitimate.

How the Attack Unfolds

Once users enter their company email address, they are redirected to what looks like their company’s Microsoft Office 365 login page.

After entering their username and potentially their password, they receive an error message stating, “There was an unexpected internal error.

Please try again.” This message is part of the ruse. Users are then redirected to the actual company Single Sign-On (SSO) or Okta login page, making them think there was a minor issue. Meanwhile, the threat actor has captured their username and possibly their password.

This phishing campaign exemplifies the growing sophistication of cyber threats that exploit trust and urgency within corporate environments.

To mitigate such risks, organizations must employ robust cybersecurity measures, including user awareness training and advanced email security solutions.

A multi-layered approach combining technological defenses with vigilant employees as the first line of defense is crucial in protecting against these evolving threats.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

14 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

19 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

19 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

22 hours ago