Comments: New phishing campaign: Impersonating the US Department of Labor to steal Office 365 credentials

Comments by: Thomas Richards, Principal Security Consultant, Synopsys Software Integrity Group

The recent phishing campaign impersonating the US Department of Labor demonstrates a high level of sophistication compared to other phishing campaigns witnessed in the wild. The entity responsible for the campaign has made careful preparations to ensure their attacks are delivered as planned and are successful. This includes multiple landing websites on different domains in case one is compromised, routing email through known-good servers, and a sophisticated PDF payload. This is most likely the first phase of the attacker’s campaign while they try to gain credentials and access to reach their intended target. 

Comments by: Jamie Boote, Security Consultant, Synopsys Software Integrity Group

While most email scams introduce misspellings, implausible scenarios, and appeals to greed to hook gullible victims, this particular phishing attack’s sophistication is novel in how the attacker-controlled site and communications appear identical to government communications. The use of the .us domain to add credibility is something we can expect to see spread as more top-level domains are available and the messaging around the difference between .gov and .us is nonexistent.

The solution lies in employee training, awareness, and education. Rather than clicking links in email, users should rely on bookmarks to ensure they end up at the valid site. For contractors that do frequent business with government pages, it would be a good idea to send out a bulletin informing their employees of what this scam is and how they can avoid it. As a secondary line of defence, technical controls should continue to be updated with known malicious sites and domains to prevent an errant or thoughtless click to compromise accounts.

This site uses Akismet to reduce spam. Learn how your comment data is processed.