A new phishing email scam is under way that pretends to be from a company's human resources (HR) department and requests that the recipient read and acknowledge an attached "Rules of Conduct" document. This document, though, prompts you to login at a fake Office 365 login prompt, which is used to steal your credentials.

This email will be from "H.R Dept" and have a subject line of "Rules of Conduct" as seen below.

Rules of Conduct Phishing Email
Rules of Conduct Phishing Email

The text of this phishing email is:

Please take a moment of your valuable time to direct your attention to the attached letter that outlines the Rules of Conduct that this company expect from all its staffs.
 
We will appreciate your kind acknowledgement by sending an electronic copy of the attached letter no later than Apr/27/2018   to the HR office.
 

Regards
HR DEPT

This e-mail is confidential and may contain legally privileged information. If you have received it by 
mistake, please inform us by reply e-mail and then delete it (including any attachments) from your 
system; you should not copy it or in any other way disclose its content to anyone. E-mail is 
susceptible to data corruption, interception, unauthorised amendment, tampering and virus. We do 
not accept liability for any such actions or the consequences thereof.

Attached to the email is a PDF called "Rules of Conduct.pdf" that when opened will display a fake Microsoft Word prompt. This prompts contains a link that, for some strange reason, asks you to "CLICK TO OPEN DOCUMENT WITH EXCEL".

PDF Attachment
PDF Attachment

If a user clicks on this link, they will go to the https://rhnedoeysihq.info/achachalta/tused.php?id=[campaign_id] URL, which will then redirect the user to the Office 365 page shown below.

Office 365 Phishing Page
Office 365 Phishing Page

When a user enters their credentials in the above page, the scammers will record the information, and then pretend to open a document. Ultimately, the recipient will be shown a document from the legitimate doingbusiness.org.

Legitimate doingbusiness.org PDF
Legitimate doingbusiness.org PDF

If you have fallen for this scam, you should immediately tell your company's administrator and change your Office 365 password. Your administrator should also confirm that no 3rd party apps  have been given access to your account while the attackers had access to it.

Be careful, stay safe, and have a nice weekend!

Related Articles:

ZeroFont Technique Lets Phishing Emails Bypass Office 365 Security Filters

Microsoft Office For Windows Updated With New Features for Insiders

Microsoft Releases New Office Update for Android With New Features

Microsoft Blocks Embedding SettingContent-ms Files in Office 365 Docs

Microsoft Edge Beta On iOS Updated With Breaking News and More