This content is viewable by Everyone
Apr 2023: Phishing Lures Abuse SAP Concur and DocuSign
Threat Alert: What to Watch For
- Cybercriminals have launched phishing attacks using apparently compromised SAP Concur and DocuSign accounts to distribute malicious emails.
- The phishing lures use financial themes, such as an expense report on SAP Concur or a financial settlement document on DocuSign.
- The lures include malicious links. When clicked, the links lead to a credential phishing kit that redirects the user to a legitimate login page. While the page itself is legitimate, the original phishing server will intercept any entered credentials, including multi-factor authentication (MFA) tokens.
Key Action: Report Suspicious Emails
- Report ANY suspicious emails using the Phish Alarm button in your email menu bar.
- Remember: Our organization occasionally sends phishing simulations that are used to evaluate the potential impact of a real phishing attack. Report any emails that match the tactics described above.
- If a reported message is a simulation, you will see a notification alerting you to that. No further action is needed on your part.
- If a reported message was not a simulation, and you are concerned about a time-sensitive request, you must take additional steps to verify the email is valid before acting on it.
Tips to Remember (at Work and at Home)
- Go beyond surface clues. Familiar logos, branding, and names are not automatic indicators that an email or website is safe. Cybercriminals often imitate well-known organizations.
- Verify the legitimacy of any unsolicited/unexpected email before you interact with it, especially if it directs you to click on a link or asks you to provide credentials. It can be tempting to click on a “call-to-action.” But if you notice a subtle change or inconsistency within a message claiming to be from finance or another internal department, don’t ignore it—report it.
- Remember legitimate services can still be abused. Cybercriminals frequently find ways to abuse legitimate, trusted brands in their attacks. If you receive a suspicious or unexpected email, even from a platform you use, exercise caution. Whenever possible, log into the platform directly using a known, trusted URL rather than following a link in an email.