The NJCCIC observed an increase in phishing emails claiming to provide updated employee compensation records, often implying a base pay increase. In one instance, the messages included an Adobe PDF attachment with a QR code that directed users to a counterfeit Microsoft OneDrive authentication page. The page was designed to harvest user credentials, two-factor authentication (2FA) tokens, and retrieve the associated session cookie. This campaign was achieved using the Adversary-in-the-Middle (AiTM) technique from the “ODx” Phishing-as-a-Service (PhaaS) platform’s synchronous relay capabilities.

In a similar campaign, the messages include an EML attachment with a QR code that directs users to a counterfeit Docusign page, which prompts them to log in to their Microsoft account to verify their identity before they can view the report. Signing in to the Microsoft account and entering the provided code allows the threat actors behind the campaign to capture the user’s authentication token, which they can use to access the user’s account. This campaign uses EvilTokens Device Code PhaaS.

Recommendations

• Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links or opening attachments.
• Navigate directly to legitimate websites and verify before submitting account credentials, providing personal or financial information, or downloading files.
• Enable MFA and keep systems and browsers up to date.
• If sensitive information was entered, change passwords for compromised accounts, monitor for unauthorized activity, and review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes.
• Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.
• Report malicious cyber activity to the NJCCIC and the FBI’s IC3.