Kaspersky has identified an advanced phishing campaign targeting employees with personalised emails and attached documents disguised as HR policy updates. This campaign marks a significant escalation in phishing tactics, with attackers tailoring not only the email body, but also the attachments by addressing individual recipients, showcasing an unprecedented level of customisation. The goal was to lure the victim into entering their corporate email credentials.
The attackers likely prepared by parsing employee names to make the campaign targeted and more convincing. The emails feature a deceptive body: a fraudulent "verified sender" badge to build trust, the recipient’s name, and an invitation to open the attached file to review remote work protocols, benefits administration and security standards. However, the whole email body is in reality just an image with no real text in it; this is done to bypass email filters.
The
body of the fraudulent email is made of an image, not text
The attached document, posing as an updated "Employee Handbook," does not contain any actual guidelines – only a title page, a table of contents with the items that have supposedly been changed highlighted in red, a page with a QR code, supposedly for going to the full document and common instructions on how to read QR codes using a phone. The document features the victim’s name multiple times to convince that this document was created specifically for them.
The alleged “Employee handbook” attached file
If the victim scans the QR code and follows the link, they land on a fraudulent page where they are asked to enter their corporate credentials, which is what the attackers are hunting for.
"This campaign demonstrates a new level of sophistication in phishing attacks, and we may be seeing a new mailing automation mechanism that generates a separate attached document and a separate image for the email body for each recipient. This tactic allows to scale the attack and at the same time possibly evade traditional defenses. Organisations must prioritise advanced security measures and employee education to stay ahead of these threats," comments Roman Dedenok, Anti-Spam Expert at Kaspersky.
To stay safe, Kaspersky recommends:
- Utilise specialised security solutions at the corporate mail server level to detect and block phishing attempts.
- Ensure all employee devices, including smartphones, are equipped with robust security software.
- Conduct regular training on modern phishing tactics.
- Encourage employees to scrutinise emails for signs of phishing, such as image-based text or mismatched document titles, and to verify requests directly with HR.
