UCSF IT Technology

Threat Alert WordPress-Themed Lures Install Malicious Plugin 

Cybercriminals have launched a series of phishing attacks using the threat of employee transfers and terminations as a lure. The phishing emails use the subject line "Annual Transfer list & Terminated Employees.”While the email from field says it is from “Human Resources Management Section,” the sending address is a Gmail account. The phishing emails contain a legitimate Dropbox link purporting to lead to a document outlining employee transfers or terminations.

Attackers have launched a series of phishing attacks impersonating reputable secure share providers, which are used for securely sharing files. The lures contain links or attachments containing the supposed document. Interacting with the link or attachment leads to the installation of credential harvesting malicious software (malware). The sending address for the emails does not match the expected company domain for the secure share provider.

Recent email-based attacks have abused Microsoft’s legitimate OneNote application to share malicious files. The emails use subject lines like “New Document Shared with you” and encourage the recipient to follow a link to view a shared OneNote file.  The OneNote link leads recipients to a shared document which contains the text “DOUBLE CLICK TO DOWNLOAD THE FILE NOW.”Some attacks may also distribute similar malicious OneNote files as email attachments.