Threat Intel Flash: Diving into Hidden Scheduled Tasks 

Get the Latest


Performance Appraisal Attack

A new corporate email phishing attack has been found that mimics the performance appraisal process used by many companies, according to researchers at Kaspersky Lab. The email claims to be from the organization’s human resources department and directs the recipient to click on a fake “HR Portal” link. The link redirects the recipient to a primitive website that asks for their login credentials. To make the site look more legitimate, the phishing page includes an “I agree to the Privacy Policy” checkbox. After the victim enters their login credentials into the phishing page, the page asks them to wait for an email with additional instructions and select one of the three options for a performance appraisal. Meanwhile, the victim’s password is sent back to the attacker. While most phishing pages will, in the end, redirect a victim back to a legitimate site, this new campaign simply comes to an abrupt end; the victim never receives the follow-up email. The corporate phishing attack is not a new technique used by attackers: In 2018, attackers were spotted using SharePoint files to host phishing links. In early 2019, bad actors were observed using Microsoft voicemail notifications to trick employees into opening HTML attachments that redirected them to phishing pages.

Analyst Notes

Email continues to be the most common attack vector for breaching a company’s network. To best protect against phishing attacks, operators of business IT systems should practice defense-in-depth. This includes using a professional service to screen email messages and block any recognized phishing attempts. Email messages originating from outside the organization should be altered to clearly indicate to the recipient that the email came from outside and reminding the employee to be careful about clicking any links or opening any attachments. Email attachments should be screened and tested for malicious content before reaching the intended recipient, especially if the attachment is an Office document containing macros or OLE objects containing scripts. Companies are recommended to provide regular training to employees on how to spot phishing campaigns and how to defend them. In case an attacker bypasses all of the other protections, it is important to have 24×7 monitoring of security operations, to detect and respond to unusual behavior or from accounts logging in from foreign countries unexpectedly.