New Year, New Cyber Threats

In this edition of the Be Everyday Ready Briefing, we’re looking at some of your biggest cyber threats for 2025.

EMPLOYEES ARE BYPASSING CYBERSECURITY MEASURES

As companies increasingly depend on digital tools and cloud-based workflows, a critical issue is arising. Employees are sidestepping security protocols to achieve productivity targets, unintentionally creating major cybersecurity threats.

Contributed by Brian Rushton-Phillips

A recent CyberArk survey highlights the extent of this problem, showing that 65% of office workers confess to bypassing company security rules for the sake of efficiency. This conflict between security and productivity highlights a major challenge for organizations in today’s fast-paced business landscape:

How can you enforce compliance without hindering workflow?

The Weakest Link

Contemporary companies implement measures to safeguard sensitive information, such as multi-factor authentication (MFA) and real-time threat detection. However, when employees reuse passwords, share login details, or access work applications from unsecured personal devices, they introduce weaknesses that even the most sophisticated systems cannot eliminate. Consider these findings from the CyberArk study: Password Reuse: 49% of participants admit to using identical login details for various work applications, and 36% apply the same credentials for both personal and professional accounts.

Password Sharing: 30% of employees disclose their workplace passwords to colleagues, effectively undermining the security provided by unique credentials or MFA.

Device Security Gaps: 36% postpone the installation of security updates on personal devices used for work, leaving critical applications vulnerable to exploitation.

AI Risks: With artificial intelligence tools becoming prevalent in workflows, 72% of employees report using AI tools, yet 38% either disregard company policies regarding sensitive data input or claim no such policies exist, putting valuable data at risk.

Personal Devices: 80% of respondents access workplace applications from personal devices that lack adequate security measures.

Sharing Confidential Data: 52% of respondents admitted to sharing confidential workplace information with external parties, heightening the risk of data breaches.

The Reason Why

It's easy to see why individuals might overlook or bypass security protocols.

As many employees strive to meet job demands, immediate priorities can eclipse security concerns. The urgency of pressing tasks can push worries about possible cyber incidents to the back of their minds when faced with a looming deadline.

In terms of cybersecurity, the fundamental reasons for employee disengagement include:

Convenience vs. Security: Employees frequently perceive security measures as burdensome. Lengthy, intricate passwords, repeated logins, and multi-factor authentication can seem like obstacles to efficiency.

Pressure to Deliver: In dynamic work settings, adhering to deadlines often takes priority over adhering to security protocols. Employees might view bypassing these measures as a necessary compromise.

Lack of Awareness: Many employees are not fully aware of the risks their actions may pose. Without adequate training, they might not recognize the link between ignoring a protocol and the potential for a security breach.

The saying “a chain is only as strong as its weakest link” is especially relevant in cybersecurity. Even the most sophisticated technologies can be compromised by a single weak password, an unpatched device, or an inadvertent click on a phishing email. Organizations need to acknowledge that employees are both their most valuable assets and their biggest vulnerabilities.

In the fast-changing threat environment of today, effective cybersecurity goes beyond purchasing top-notch solutions. It involves ensuring that everyone in the organization comprehends their responsibility in safeguarding the digital ecosystem. The most significant challenges and issues in cybersecurity have always been, and continue to be, human-related.

Gain more insight from our blog and podcast >>

PHISHING CAMPAIGN TARGETING NEW EMPLOYEE HANDBOOKS

Cyderes SOC has identified a new global phishing campaign exploiting themes of new employee handbooks.

Contributed by Ethan Fite

This campaign has been observed across multiple organizations, leveraging highly targeted PDFs containing company branding, and phishing payloads nested behind CAPTCHA checks to avoid detection. The attackers aim to steal credentials or deliver malware via QR codes embedded in the document. Organizations must act immediately to mitigate this threat, leveraging email security enhancements, end-user training, and robust threat intelligence sharing.

Key Characteristics of the Campaign and Payload Analysis

1) Subjects (Examples)

• Employee Handbook For All [COMPANY] Employees Ref THEPCR
• Employee-Handbook For All [COMPANY] | Ref ZKTKEF
• Revised – [COMPANY] Handbook

2) Senders (Examples)

• Noreply - [COMPANY] Automated Notification [COMPANY]_notice8282.automated.onmicrosoft.teams@visionlateral[.]cl
• [COMPANY] mike@asnysecurity[.]com
• [COMPANY] directdebit@tokyofood[.]co[.]nz

3) PDF Attachments (Examples)

• Revised - [COMPANY] EmployeeHB5107.pdf
• [EMPLOYEE NAME].pdf
• Revised-[COMPANY] Handbook 37392.pdf

4) Observed URLs (Defanged)

• hxxps://home[.]coxsbazartimes24[.]com/?WOEvb=ix&newblaw11=
• hxxps://confirm-ruoytnuoccawon[.]federalappstorage[.]com
• hxxps://xwe[.]soundestlink[.]com/ce/c/6761b7da0bb04571be0199f7/6761ed3e07a24e80c1b1baa7/6761ed5af9a08fb1fbc2b344?signature=d885c666c5e36849e8bcc98aeb83799b5e230a4dc9aeaebfa3adc8b9eb109ad4

 5) PDF Characteristics

• Page 1: Target-specific company logo and introductory text about the new handbook.
• Page 2: Generic bullet list of the handbook’s table of contents.
• Page 3: Instructions referencing a new company policy and a QR code that redirects to a phishing payload.
• Payloads: Differ for each target, often leading to credential harvesting or malware download.

6) Post-QR Code Payload

After scanning the QR code in the phishing PDF, victims are directed to a CAPTCHA verification page. This added layer serves multiple purposes:

• Legitimacy: The CAPTCHA makes the process appear authentic.
• Detection Bypass: CAPTCHA may prevent automated security tools from analyzing the payload.

 7) Behavioral Analysis

• Identified Visitors: Redirected to legitimate websites such as yahoo.com or google.com.
• Unidentified Visitors: Redirected to Microsoft-branded credential harvesting pages.

Recommended Mitigations 

1) Email Security Gateway Configuration

Create a custom policy to detect and quarantine emails with the following patterns:

• Subject Line Keywords: “Employee Handbook,” “Revised Handbook,” “For All Employees,” “Ref [alphanumeric code],” “[COMPANY NAME].”
• Attachment Filenames: Use pattern-based detection to flag filenames including terms like “EmployeeHB,” “Handbook,” or alphanumeric references.
• Sender Domain Analysis: Alert on discrepancies between sender display names (e.g., “[COMPANY NAME]”) and sender domains.

 2) Block QR Code URLs

Use web filtering solutions to proactively block access to URLs associated with malicious QR codes. Analyze any URLs for suspicious patterns or redirects.

 3) Educate Employees

Conduct phishing awareness training focusing on:

• Identifying suspicious subject lines and senders.
• Verifying handbook communications through internal HR channels.
• Avoiding QR codes in unsolicited documents.

4) Enhanced SOC Monitoring

Deploy threat hunting techniques to identify and analyze:

• Emails with targeted PDFs.
• URL click-through behavior from QR code scans.
• Post-compromise indicators such as unusual login activity.

5) Collaborate on Threat Intelligence

Share IOC data and observed attack patterns with trusted partners, and threat intelligence platforms to enhance collective defense.

Gain more insight from our blog and podcast >>

EXECUTIVE IMPERSONATION SCAMS – Simple, Effective, and Dangerous

In this phishing attack breakdown, we’re focusing on a scam that may appear simple but continues to generate significant damage: executive impersonation phishing attacks.

Contributed by Ethan Fite

These attacks rely on social engineering and a sense of urgency, exploiting the trust employees place in their leadership teams. Despite their simplicity, these scams often succeed at alarming rates due to their effectiveness in deceiving users and bypassing standard email security measures.

How Executive Impersonation Scams Work

These attacks typically arrive as plain-text emails, deliberately designed to avoid detection by security filters that flag suspicious links or attachments. Their minimalistic structure and appearance often make them look less malicious, allowing them to slip through defenses.

Key characteristics include:

1) Impersonation of Executives: The email’s sender display name, subject line, or signature uses the name of a company executive (e.g., CEO, CFO, or department head) to add urgency and legitimacy.

2) Urgent Requests: The content often pushes immediate action with messages such as:

“Forward your active mobile number. I am trying to reach you.”

“I’m preparing for an impromptu meeting and require a task done urgently, be quick to provide your mobile number in your response to this email.”

“The attached is approved. Please process by ACH today.”

The scammer’s goal is to make the recipient bypass skepticism due to the perceived importance of the sender.

3) Targeting Direct Communication: Many executive impersonation emails ask for phone numbers, enabling the attacker to shift communication to SMS or phone calls. Once in direct contact, attackers have a greater chance of manipulating victims and extracting sensitive information or financial transactions.

4) Net-New Freemail Accounts: These attacks often originate from freemail domains such as Gmail, Yahoo, or Outlook, with the sender name spoofed to match the executive. However, they may also come from newly registered domains closely resembling corporate email addresses.

Why These Attacks Succeed

Authority Bias: Employees are inclined to comply with requests from company executives.

Sense of Urgency: Attackers exploit time pressure, discouraging careful verification.

Minimalistic Design: Without malicious links or attachments, these emails evade traditional security tools.

Direct Contact: Moving the conversation to a phone call or text eliminates security monitoring, giving attackers free rein.

Real-World Impact

Successful executive impersonation attacks can result in:

Financial Fraud: Processing fake invoices or approving wire transfers.

Credential Theft: Attackers request login details under the guise of urgent account access.

Data Loss: Employees unknowingly share sensitive internal or client information.

Operational Disruption: Misleading communication may interfere with workflows and decision-making.

How to Prevent Executive Impersonation Attacks

1) Optimize Your Email Security Gateway (SEG) Policies

Tighten Your SEG Rules: Configure your SEG to enforce stricter policies on external senders. It’s better to risk false positives (FPs) initially and release flagged emails manually than to allow malicious messages to reach your employees.

Drop Suspicious Emails: Ensure your gateway prioritizes dropping emails from freemail domains or newly registered external domains that impersonate executives.

 2) Implement Custom Detection Rules

Create policies within your SEG or security tools to look for a combination of:

Freemail Domains: Gmail, Yahoo, Outlook, etc.

Executive Names: Keywords matching your leadership team’s names (both full and partial) in the sender, subject, or body of the email.

Urgent Language: Phrases like “urgent,” “as soon as possible,” “immediate action required,” and “approved invoice.”

Example Policy Logic:

(Freemail Domain) + (Executive Name) + (Urgent Keyword) → Drop Email

These rules help block obvious impersonation attempts before they reach inboxes.

 3) Strengthen User Awareness and Reporting

No matter how strong your email security is, some phishing emails will slip through. Training employees to recognize and report these emails is critical:

• Ongoing Security Awareness Training: Conduct regular training sessions to educate employees on phishing tactics, especially executive impersonation attempts. Provide real-world examples of plain-text scams and the danger of sharing contact details.
• Encourage Reporting: Implement an easy-to-use “Report Phishing” button and emphasize the importance of reporting suspicious emails.

4) Monitor User-Reported Emails (Cyderes CAN Help)

 Ensure your team actively reviews reported phishing emails and adjusts SEG rules to prevent further attempts. If your organization lacks the resources to monitor user-reported phishing emails, Cyderes can help.

 Our phishing response services includes rapid analysis of reported phishing emails and proactive monitoring of phishing trends to stay ahead of attackers.

Additional Technical Controls

• Implement DMARC, SPF, and DKIM: These email authentication protocols reduce the likelihood of domain spoofing.
• Restrict External Communication: Consider implementing policies to flag or block emails from external senders using executive names.
• Deploy Advanced Threat Detection: Use tools that incorporate machine learning and behavioral analysis to detect anomalies in email communications.

Conclusion

Executive impersonation phishing attacks highlight the power of simplicity and social engineering. While these scams rely on plain-text emails and urgency, their impact can be severe, from financial losses to compromised data. By combining technical controls (tight SEG policies, custom rules) with user awareness and a robust reporting process, organizations can significantly reduce the success rate of these attacks. If you need support in phishing detection and response, Cyderes is here to help. Stay vigilant, stay informed, and keep phishing attempts at bay.

Gain more insight from our blog and podcast >>

Follow our story ➜ https://linkedin.com/company/cyderes

cyderes.com