A new phishing email scam is under way that pretends to be from a company's human resources (HR) department and requests that the recipient read and acknowledge an attached "Rules of Conduct" document. This document, though, prompts you to login at a fake Office 365 login prompt, which is used to steal your credentials.

This email will be from "H.R Dept" and have a subject line of "Rules of Conduct" as seen below.

Rules of Conduct Phishing Email
Rules of Conduct Phishing Email

The text of this phishing email is:

Please take a moment of your valuable time to direct your attention to the attached letter that outlines the Rules of Conduct that this company expect from all its staffs.
We will appreciate your kind acknowledgement by sending an electronic copy of the attached letter no later than Apr/27/2018   to the HR office.


This e-mail is confidential and may contain legally privileged information. If you have received it by 
mistake, please inform us by reply e-mail and then delete it (including any attachments) from your 
system; you should not copy it or in any other way disclose its content to anyone. E-mail is 
susceptible to data corruption, interception, unauthorised amendment, tampering and virus. We do 
not accept liability for any such actions or the consequences thereof.

Attached to the email is a PDF called "Rules of Conduct.pdf" that when opened will display a fake Microsoft Word prompt. This prompts contains a link that, for some strange reason, asks you to "CLICK TO OPEN DOCUMENT WITH EXCEL".

PDF Attachment
PDF Attachment

If a user clicks on this link, they will go to the https://rhnedoeysihq.info/achachalta/tused.php?id=[campaign_id] URL, which will then redirect the user to the Office 365 page shown below.

Office 365 Phishing Page
Office 365 Phishing Page

When a user enters their credentials in the above page, the scammers will record the information, and then pretend to open a document. Ultimately, the recipient will be shown a document from the legitimate doingbusiness.org.

Legitimate doingbusiness.org PDF
Legitimate doingbusiness.org PDF

If you have fallen for this scam, you should immediately tell your company's administrator and change your Office 365 password. Your administrator should also confirm that no 3rd party apps  have been given access to your account while the attackers had access to it.

Be careful, stay safe, and have a nice weekend!

Related Articles:

Microsoft to Block Flash in Office 365

Phishing Roundup: Caracal, Stealth Mango, Tangelo, Apple, DHL, eFax & More

Office 365 Zero-Day Used in Real-World Phishing Campaigns

Microsoft Adds Anti-Ransomware Features in Office 365

Google and Microsoft Reveal New Spectre Attack