A clever social engineering approach we often see involves attacker crafting emails that pose as internal HR communications. This “employee performance report” campaign purporting to be the recipients own HR department also contained multiple payloads which is becoming increasingly popular. These attackers are using a look-a-like domain of intended recipient. The email lures its target by claiming to include a list of employees that are being promoted in the performance report, this is a clever tactic to entice users into interacting with the link or attached file.

However, cleverer than the tactic used in the email lure is the functionality of the phishing site delivered in the payload URL. Cloudflare’s R2 cloud storage service is being leveraged by these threat actors to host a modular credential harvesting page that is customized depending on the target domain. For demonstration purposes, we manually added test@microsoft.com to the end of the payload link to show the site pulling the homepage of the target domains’ website into the background. You can also see the Microsoft logo is pulled and inserted above the “Sign in” option while the AVG internet security logo is static and is included to add legitimacy.

As you can see below, adding any domain to the end of the URL and the phishing page fully tailors itself to lure end users into a false sense of security.

Any communication claiming to be from HR, especially those asking you to click a link or open an attachment should be viewed with a healthy amount of skepticism. If you encounter anything suspicious you should always confirm with the sender and/or report to your IT department for investigation.