In a similar campaign, the messages include an EML attachment with a QR code that directs users to a counterfeit Docusign page, which prompts them to log in to their Microsoft account to verify their identity before they can view the report. Signing in to the Microsoft account and entering the provided code allows the threat actors behind the campaign to capture the user's authentication token, which they can use to access the user’s account. This campaign uses EvilTokens Device Code PhaaS.
Recommendations
- Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links or opening attachments.
- Navigate directly to legitimate websites and verify before submitting account credentials, providing personal or financial information, or downloading files.
- Enable MFA and keep systems and browsers up to date.
- If sensitive information was entered, change passwords for compromised accounts, monitor for unauthorized activity, and review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes.
- Review the Don't Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.
- Report malicious cyber activity to the NJCCIC and the FBI's IC3.
