Key Points
- Credential harvesting campaign impersonating new employee notifications across multiple organizations
- Multi-stage attack flow utilizing fake verification pages and CAPTCHA to evade detection
- Leverages FlowerStorm phishing-as-a-service platform with Adversary-in-the-Middle capabilities to bypass MFA
Campaign Overview
The Mimecast Threat Research team has identified an active credential harvesting campaign using HR related lures including a new employee onboarding notification to steal Microsoft 365 credentials. This operation uses company-specific lures that reference fictitious new employees joining target organizations, creating a sense of legitimacy that encourages user interaction. The campaign follows a multi-stage attack flow designed to evade automated detection systems. Recipients receive emails announcing new employee arrivals, often including the target company's name in subject lines to increase credibility.
When users click the embedded links, they are redirected to convincing verification pages that display photos of supposed new joiners along with CAPTCHA challenges designed to appear legitimate while preventing security scanners from accessing the final payload.
Please click here to read the entire article. We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
