‘Convincing’ Phishing Campaign Impersonates Govt. Agencies

Researchers have spotted the latest iteration of a 3-year long phishing campaign that is getting increasingly sophisticated.
Aaron Drapkin

Security researchers have uncovered a series of phishing campaigns mimicking government agencies, which are being sent to contractors and businesses.

The campaigns themselves, which are “more convincing [and] more evasive” than ever before, are a continuation of a campaign that started way back in 2019, and continued during 2021 — but now, more agencies are being spoofed.

Password managers — which facilitate the creation of a different password for each account you own without you having to remember them all — greatly minimize the damage credential phishing can do.

Phishing Campaign Impersonates US Government

Researchers at Cofense have spotted a phishing campaign in which the threat actors masquerade as the Department of Labor, Transportation, or Commerce.

Largely targeting firms that bid on government contracts — which constitutes a wide range of companies across several sectors of the economy — the goal is to steal Microsoft 365 credentials.

The emails include detailed PDFs that Cofense says are shorter and more customized than previous iterations of a long-standing campaign.

Overall formatting of the documents is more consistent than observed previously, the phishing protection specialists noted, which is concerning considering inconsistencies of this kind are often one of the clearest signs an email like this isn't genuine.

Initially only impersonating the Department of Labor, Cofense say that the phishing campaign has “evolved over time by improving the email contents, the PDF contents, and the appearance and behavior of the credential phishing pages.”

Clever tactics to fool even the most threat-savvy of employees include using HTTPS for the malicious domain users are redirected to, which ensures that a green padlock appears in the address bar (Image Credit: Cofense).

Department of Labor phishing page

Other techniques include asking victims to verify they're human via CAPTCHA, redirection to the legitimate government department pages after credential exfiltration, and official-looking watermarks on PDFs.

How Password Managers Minimize Credential Phishing Impact

If you’re not using software like a password manager, then there's a good chance you're reusing passwords from account to account. You wouldn’t be alone either, with plenty of people reusing their favorite passwords across business and personal accounts.

In this case, if your Microsoft 365 password was not unique, a hacker would have access to not just your Microsoft 365 account, but all other accounts you used that password with.

They’d be able to log into other employee accounts you own — perhaps to a project management software app, or your company’s CRM system as well as any personal accounts with those credentials in use, which could lead to the theft and subsequent misuse of even more of your information.

Storing all of your passwords in one place means you only have to remember one pass key for your password manager account, so each one will be completely unique, greatly minimizing the threat of such an attack.

Password managers protect you from a range of other cyber threats too. These include credential stuffing (using stolen credentials from one account to hack into other accounts a victim owns) and brute-forcing (running a script that bombards a login page with commonly used passwords, in the hope one is in use), both of which rely on weak or unsecured account credentials to work.

With threats getting ever-more sophisticated, equipping yourself with tech like this is the least you can do.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol three years ago. As a writer, Aaron takes a special interest in VPNs and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, The Week, and Politics.co.uk covering a wide range of topics.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals