A new phishing email scam is under way that pretends to be from a company's human resources (HR) department and requests that the recipient read and acknowledge an attached "Rules of Conduct" document. This document, though, prompts you to login at a fake Office 365 login prompt, which is used to steal your credentials.
This email will be from "H.R Dept" and have a subject line of "Rules of Conduct" as seen below.
The text of this phishing email is:
Please take a moment of your valuable time to direct your attention to the attached letter that outlines the Rules of Conduct that this company expect from all its staffs. We will appreciate your kind acknowledgement by sending an electronic copy of the attached letter no later than Apr/27/2018 to the HR office. Regards HR DEPT This e-mail is confidential and may contain legally privileged information. If you have received it by mistake, please inform us by reply e-mail and then delete it (including any attachments) from your system; you should not copy it or in any other way disclose its content to anyone. E-mail is susceptible to data corruption, interception, unauthorised amendment, tampering and virus. We do not accept liability for any such actions or the consequences thereof.
Attached to the email is a PDF called "Rules of Conduct.pdf" that when opened will display a fake Microsoft Word prompt. This prompts contains a link that, for some strange reason, asks you to "CLICK TO OPEN DOCUMENT WITH EXCEL".
If a user clicks on this link, they will go to the https://rhnedoeysihq.info/achachalta/tused.php?id=[campaign_id] URL, which will then redirect the user to the Office 365 page shown below.
When a user enters their credentials in the above page, the scammers will record the information, and then pretend to open a document. Ultimately, the recipient will be shown a document from the legitimate doingbusiness.org.
If you have fallen for this scam, you should immediately tell your company's administrator and change your Office 365 password. Your administrator should also confirm that no 3rd party apps have been given access to your account while the attackers had access to it.
Be careful, stay safe, and have a nice weekend!