New phishing technique shows alarming vulnerability

We came across a spear phishing campaign that was cleverly disguised as an internal communication. It resembled one of the many newsletters your inbox is probably packed with right now.

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

What’s the scariest part of a horror movie? It’s when the victim suddenly finds out that the threat isn’t some abstract thing that may get them… when they find out that the threat is nearby… when the threat is coming from inside the house!

Your email box is probably one big mess with all the marketing messages, newsletters, surveys, and other content that is irrelevant to your work. Often, you are confronting a huge pile of unread messages. And frankly, only a handful of us read all of them. That’s why phishing emails are rarely sent in the form of spam messages.

However, we found a phishing email that was disguised as an internal newsletter. You’re a lot more likely to read information which you perceive as relevant to you, so this phishing email does a great job at making you stop the skimming of your inbox. This is exactly what makes it become dangerous.

Let’s have a look...

Phishing email disguised as an internal newsletter

The attack works like a spear phishing attack with the email targeting an employee in a specific company. It includes many aspects of personalization. Notice how the email greeting uses the recipient’s actual name, making the message feel more personal and legitimate. Also, the sender of the message has a very credible title (information admin) and the footer of the message looks neat. This, accompanied with multiple mentions of the company and usage of their logo, makes it even more imperceptible by someone simply skimming their inbox. Even the content of the email seem normal. Almost too normal. Which is how phishers get you.

This attacker made a convincing phishing email by using a topic that applies to all employees: their health. Everyone wants to be healthy, so the health of employees especially during the times of COVID-19 is a big talking point in all companies. We are sure that you have received messages like this from your internal communications. How much did you think before taking action?

  • Pay attention to the language
    Does the message sound like the ones you have received before from this person or team?
  • Call the person or ask face to face if this message is real before giving any personal details.
    Check their contact information from your internal portal!
  • If you notice anything suspicious...
    ...report the email via Hoxhunt button and inform your IT department!

Stay off the hook.

Newsletters may seem harmless, but you can never be too careful. This is a good example of an attack email that seems completely innocent but ends up stealing your credentials.

To spot a phishing email, pay attention to these red flags:

  • Avoid links that point to a URL address that is not related to the company.
  • Request for personal information such as login details.
  • Always be suspicious and take it slowly before acting on any communication.
  • Avoid a sense of urgency and stay calm.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this