Remote workers are being targeted by a wide-ranging new online scam looking to steal business logins.
Researchers at security firm Cofense have uncovered a phishing campaign masquerading as emails from HR departments.
The scam targets employees who are still getting used to working from home, tricking them into giving away credentials such as login details through fake remote working enrollment forms.
Cofense found that the hackers were exploiting the popular Microsoft Sway application to steal credentials and host phishing websites.
Sway is a free application from Microsoft that allows employees to generate documents such as newsletters and presentations and is commonly used by professionals to conduct their regular day to day work tasks.
The criminals used this service to create and send out emails containing subject lines such as ‘Employee Enrollment Required’ and ‘Remote Work Access.’ Claiming to come from “Human Resources”, and phrased to resemble official internal communications the email asks the recipient to click on a link to enroll in an remote working policy.
However clicking on this link sends the victim to a fake phishing site, where their credentials are stolen and potentially sold on.
Cofense says it has detected multiple instances of such scams, and warns that as they often used legitimate domains and URLs, these campaigns went undetected for a long periods of time, which could mean a large number of accounts were compromised.
“As employees have rapidly shifted to remote working, threat actors have started to look at ways they capitalize on the COVID-19 pandemic to spoof new corporate policies and legitimate collaboration tools to harvest valuable corporate credentials, a trend we anticipate will only continue to gain steam in the foreseeable future,” Kian Mahdavi from the Cofense Phishing Defense Center wrote in a blog explaining the threats.
Cofense recommends employees take extra care when reading all emails, even those claiming to come from their employer, and check links by hovering their cursor above the hyperlinked text to ensure it is directing them to a legitimate site.