Key Points
- Long-running credential harvesting operation conducted by MCTO3022 targeting organizations with HR department impersonation
- Campaigns employ employee handbook compliance requirements and payroll authorization requests
- Latest campaign evolution includes Adobe PDF Sign impersonation that drops PDQConnect RMM tools instead of traditional credential harvesting
- Operations demonstrate advanced social engineering combining fake employment opportunities with compliance-themed lures across multiple industries
Campaign Overview
The Mimecast Threat Research team continues to monitor credential harvesting campaign conducted by MCTO3022, which systematically targets organizations through HR department impersonation tactics. This persistent operation combines traditional employee handbook compliance lures with evolved payroll authorization schemes, demonstrating significant operational maturity and tactical adaptation over extended campaign periods. HR-themed operations typically focus on employee handbook updates and compliance requirements, leveraging organizational policies that mandate employee engagement with HR communications.
These campaigns exploit the routine nature of HR compliance processes, making malicious communications appear as standard business operations that employees are expected to complete promptly. MCTO3022 demonstrates evasion capabilities through strategic abuse of legitimate services, including SharePoint domains for initial URL hosting and Mailchimp survey platforms for credential collection. This infrastructure approach allows the threat actor to leverage the trust and deliverability associated with established business platforms while maintaining operational flexibility through rapid domain cycling and service switching.
The operation's scope extends beyond traditional credential harvesting to include recruitment-based reconnaissance, where fake regional representative positions are advertised to collect detailed applicant information. This dual-purpose approach suggests sophisticated intelligence gathering capabilities designed to support both immediate credential theft and longer-term organizational reconnaissance activities.
Latest Campaign Evolution: PDQConnect RMM Deployment
Recent campaign activity shows MCTO3022 has evolved beyond traditional credential harvesting to deploy Remote Monitoring and Management (RMM) tools, specifically PDQConnect, through their established Adobe PDF Sign payroll authorization lures. This tactical shift represents a significant escalation in the threat actor's capabilities, moving from credential theft to persistent remote access deployment.
Please click here to read the entire article. We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
