Key Points
- Multi-month campaign impersonating Awardco employee rewards platform targeting entire organizations since May 2025
- Sophisticated evasion using multiple redirect chains, legitimate security URL solutions, and various delivery methods including QR codes
- Campaign leverages universal employee expectation of rewards program communications to maximize reach
- Attribution to internally tracked threat operation MCT03028 with significant resources and evolving techniques
Campaign Overview
Hiwot Mendahun, Ankit Gupta and the Mimecast Threat Research team has identified an extensive, multi-month campaign targeting organizations by impersonating Awardco, a widely used employee rewards and recognition platform. This campaign is attributed to a threat operation internally tracked as MCT03028 and represents a significant human risk challenge as it exploits the universal expectation that employees receive communications about workplace rewards, benefits, and recognition programs.
Unlike targeted attacks that focus on specific roles or departments, Awardco impersonation can effectively target entire organizations since all employees typically interact with rewards platforms and expect to receive related notifications. Since May 2025, threat actors have demonstrated remarkable persistence and sophistication, utilizing various compromised accounts, multiple redirect services, and diverse delivery methods to maintain campaign effectiveness. The attacks leverage the inherent trust employees place in legitimate workplace benefits communications, making this particularly dangerous from a human risk management perspective. Employees naturally expect communications about rewards programs, performance recognition, and benefit updates, creating an ideal social engineering opportunity for threat actors.
The campaigns have evolved over the four-month period, demonstrating the threat actors' adaptability and resource availability. Initially utilizing simple redirects through compromised domains, the operation has progressed to incorporate sophisticated multi-stage redirect chains, QR code delivery mechanisms, SMS-based distribution, and abuse of legitimate security services.
Please click here to read the entire article.
We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
