The NJCCIC observed an increase in phishing emails with human resources (HR)-related lures. These messages claim to distribute revised employee handbooks and ask recipients to confirm receipt by completing the acknowledgment form that is included in the attachment. In one campaign, the emails include links, attachments, or QR codes that direct to sites promoting “low-cost” advertising. Under specific circumstances, these sites redirect to pages that either attempt to install potentially unwanted programs (PUPs) or display tech support scam pages.

A second campaign with a similar HR theme contains an Adobe PDF attachment with a QR code that directs users to a CAPTCHA page. Completing the CAPTCHA redirects users to a counterfeit Microsoft login page designed to steal credentials, 2FA tokens, and associated session cookies. This approach uses the Adversary-in-the-Middle (AiTM) technique, leveraging the EvilProxy Phishkit’s synchronous relay capabilities.

Recommendations

• Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links or opening attachments.
• Navigate directly to legitimate websites and verify before submitting account credentials, providing personal or financial information, or downloading files.
• Enable multi-factor authentication (MFA) and keep systems and browsers up to date.
• If sensitive information was entered, change passwords for compromised accounts, monitor for unauthorized activity, and review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes.
• Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.
• Report malicious cyber activity to the NJCCIC and the FBI’s IC3.