That anti-phishing training email your employees just received may, ironically, actually be a phishing email, according to cyber threat analysts who recently uncovered a security awareness-themed online social engineering campaign.
In a blog post on Wednesday, experts at Cofense reported on a phishing campaign that sends emails purporting to be a notification urging employees to complete their training with cybersecurity awareness company KnowBe4. Clicking on the embedded links, however, takes email recipients to a phishing page designed to steal their Microsoft Outlook credentials and other personal information.
KnowBe4 originally reported on this same scheme in its own blog post earlier this month, noting that the scam "should serve as a reminder that no online company or brand is immune or impervious to being spoofed as part of a malicious email campaign. Online brands, sites, and services are all vulnerable to such attacks, and your users should be completely aware of this phenomenon."
The email warns employees that they have only one day left to complete their training before the program expires. Urgency is often a tool used by social engineers to trick victims into making hasty decisions without thinking about the consequences of their actions. And the fact that the attackers chose a cybersecurity theme is especially deceptive.
The emails also "discourage recipients from browsing directly to legitimate company training pages with the following statement," notes blog post co-authors Max Gannon and Brad Haas, Cofense threat intelligence analysts, by insisting that the training isn't available through the employee portal.
Cofense says the phishing kit is hosted on the domains of at least compromised web sites since mid-April 2020. Several of these sites also were found to have recently hosted a web shell called "Chips L MINI SHELL" that gives attackers the ability to upload and edit files.
So perhaps companies will now have to hold additional security awareness training to warn employees to look out for fake security awareness training.