Key Points
- Threat Type: Credential harvesting via QR code phishing
- Brand Impersonated: DocuSign, company HR departments
- Primary Vector: Compromised email accounts sending PDF attachments with embedded QR codes
Campaign Overview
The Mimecast Threat Research team has identified an active credential harvesting campaign leveraging compromised email accounts to distribute HR-themed phishing messages impersonating DocuSign and company specific HR departments. This campaign demonstrates operational maturity through its use of geographically distributed compromised accounts, mobile device filtering, and CAPTCHA bypass techniques to evade detection.
Timely Exploitation of Year-End Business Processes
This campaign is particularly concerning due to its strategic timing and exploitation of legitimate business workflows. As organizations enter the final quarter of the year, HR departments across industries typically initiate bonus allocation, year-end performance reviews, and benefits enrollment processes. Employees expect to receive legitimate communications about compensation, making them more susceptible to HR-themed phishing lures. The threat actors have weaponized this expectation by crafting convincing messages that align with normal year-end corporate activities. The urgency implied in subject lines such as "Let's Wrap Up the Year Right – Complete Your Bonus Form!" exploits both the time-sensitive nature of year-end processes and employees' financial interest in bonus information. This psychological manipulation significantly increases the likelihood of user interaction with malicious content.
Attack Chain
The campaign operates through a multi-stage process:
- 1. Initial Delivery: Emails originate from compromised accounts, primarily using sender addresses associated with legitimate services and business domains
- 2. Social Engineering: Messages impersonate HR communications regarding bonus forms or year-end documentation
- 3. PDF Attachment: The email contains a PDF attachment displaying the targeted organization's logo and HR branding to establish legitimacy
- 4. QR Code Redirect: The PDF contains a QR code directing users to a credential harvesting portal
- 5. Mobile Targeting: Some variants employ filtering to ensure connections originate from mobile devices, where security controls may be less robust
- 6. Credential Harvesting: Users are redirected to a fake authentication page designed to capture corporate credentials
Please click here to read the entire article. We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
