Beware of emails threatening a code of conduct review

Microsoft has issued an alert over a large-scale credential theft campaign that uses lures centered around corporate codes of conduct.

The emails were related to internal compliance or regulatory issues, with display names such as 'Internal Regulatory COC', 'Workforce Communications', and 'Team Conduct Report'.

Subject lines included 'Internal case log issued under conduct policy' and 'Reminder: employer opened a non-compliance case log'.

The emails were sent using a legitimate email delivery service, likely originating from a cloud-hosted Windows virtual machine (VM).

The accusations and repeated time-bound action prompts created a sense of urgency, Microsoft researchers said. Similarly, the emails were based on polished, enterprise-style HTML templates with structured layouts and authenticity statements, making them appear more credible than most phishing emails.

The bodies of the messages claimed that a code of conduct review had been initiated, referenced organization-specific names embedded within the text, and instructed recipients to open a PDF attachment to see the materials of the case.

When clicked, users were first directed to one of two attacker-controlled domains - acceptable-use-policy-calendly[.]de or compliance-protectionoutlook[.]de.

The landing pages displayed a Cloudflare CAPTCHA, presented as checking that the user was coming 'from a valid session', and that likely served as a gating mechanism to impede automated analysis and sandbox detonation.

According to Microsoft, the attack chain ultimately led to a legitimate sign-in experience that formed part of an adversary in the middle (AiTM) phishing flow.

Unlike traditional credential harvesting, AiTM attacks intercept authentication traffic in real time, bypassing multifactor authentication (MFA).

As a result, the attackers were able to proxy the authentication session and capture authentication tokens that could provide immediate account access.

"Phishing campaigns continue to improve sophistication and refinement in blending social engineering, delivery and hosting infrastructure, and authentication abuse to remain effective against evolving security controls," the researchers warned.

What industries are affected?

Between 14 and 16 April this year, the Microsoft Defender Research team said it spotted a series of campaigns targeting more than 35,000 users across over 13,000 organizations in 26 countries. Most targets - 92% - were located in the US.

The campaign didn't focus on a single vertical but instead impacted a broad range of industries, most notably healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%).

Microsoft said organizations should review the recommended settings for Exchange Online Protection and Microsoft Defender for Office 365 to check for essential defenses and the ability to monitor and respond to threat activity. They should also invest in user awareness training and phishing simulations.

Enabling Zero-hour auto purge (ZAP) in Defender for Office 365 is advised to quarantine sent mail in response to newly acquired threat intelligence. Users are also urged to retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.

It's also worth manually checking for, and purging, unwanted emails containing URLs and/or Subject fields that are similar, but not identical, to those of known bad messages.

Organizations should enable password-less authentication methods or use authenticator apps, researchers said, and strengthen privileged accounts with phishing resistant MFA.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.