Recent analysis has uncovered an active phishing campaign targeting organizations through business-related email communication. The attackers are using familiar corporate themes such as invoices, payments, and operational updates to make their emails appear legitimate. These emails are carefully designed to blend into everyday business workflows, especially within finance and procurement teams.
What makes this campaign particularly effective is its timing. It aligns with the financial year-end period—a time when companies are busy with reconciliations, vendor payments, and audits. During this phase, employees are more likely to open and process transactional emails without deep scrutiny, creating an ideal opportunity for attackers.
Although the wording and format of these emails may vary, the underlying attack pattern remains consistent. The campaign relies heavily on user interaction with malicious documents, which ultimately leads victims to credential harvesting websites.
Executive Summary
This blog evaluates an ongoing phishing operation that primarily targets finance and operational teams using invoice-based social engineering tactics. The attackers have adopted a flexible approach in email content while keeping their technical execution consistent. This balance helps them avoid traditional detection systems while maintaining a high success rate.
The campaign uses a multi-step process. Instead of directly embedding malicious links in emails, attackers deliver PDF attachments that act as an intermediate stage. These documents require user interaction before redirecting victims to fake login pages designed to steal credentials.
Another key observation is the use of multiple phishing kits. While these kits often look visually similar, they operate on different backend infrastructures. This modular setup allows attackers to quickly switch domains or hosting providers, making it harder for defenders to block the campaign entirely.
Given the focus on financial roles and the timing during high-activity periods, the risk of account compromise, financial fraud, and business email compromise (BEC) is significantly elevated.
Campaign Overview
The phishing emails in this campaign are built around common business scenarios. These include invoices, stock updates, and payment notifications. Most emails contain PDF attachments and are sent from external or spoofed domains to bypass basic filtering systems.
The language used in these emails is simple, professional, and intentionally vague. This helps them appear routine rather than suspicious. The goal is to encourage users—especially those in finance-related roles—to open the attachment and take action.
Attack Flow
The attack typically unfolds in several stages:
- The user receives an email related to business operations (e.g., invoice or payment notice).
- The email contains a PDF attachment.
- When opened, the PDF displays blurred or restricted content.
- The user is prompted to click a link, button, or scan a QR code to view the full document.
- This interaction redirects the user to a phishing website.
- The website mimics a legitimate login page and captures user credentials.
This step-by-step approach helps attackers bypass traditional email security tools and rely on user behavior to complete the attack.
Initial Access Techniques
The phishing emails do not follow a single template. Instead, they vary in wording and structure, which helps them avoid detection.
Common patterns include:
- Generic greetings like “Dear Team”
- Lack of specific transaction details
- Short and professional tone
- References to routine financial processes
Common Lure Themes
- Invoice and billing requests
- Payment confirmations or reminders
- Procurement and supply chain updates
- Requests to review attached documents
This variation makes the emails appear more authentic across different departments.
Social Engineering Approach
The attackers rely heavily on context rather than urgency. Unlike traditional phishing attempts that create panic, these emails often appear routine and harmless.
Key techniques include:
- Using familiar business language
- Avoiding excessive urgency
- Occasionally referencing deadlines (e.g., financial closing periods)
This subtle approach increases trust and reduces suspicion.
Payload Analysis
The main payload used in this campaign is a malicious PDF file. These files are designed to trick users into interacting with them.
Key Characteristics
- Blurred or partially hidden content
- Prompts to “view” or “unlock” the document
- Embedded links or clickable elements
Once clicked, users are redirected to phishing websites.
This method offers several advantages to attackers:
- Avoids direct link detection in emails
- Encourages user interaction
- Separates delivery from exploitation
QR Code Phishing (Quishing)
Some PDFs include QR codes instead of clickable links.
Why this is effective
- Email filters often fail to scan QR codes
- Users scan them using mobile devices
- Directs victims straight to phishing pages
This technique is becoming increasingly common as organizations improve email security.
Credential Harvesting Infrastructure
After redirection, users land on fake login pages that closely resemble legitimate services.
Observations
- Multiple phishing kits are used
- Similar visual designs across different kits
- Different backend infrastructures (domains, hosting, scripts)
This indicates a modular system where attackers reuse front-end templates but frequently change backend components. This helps them stay active even when parts of their infrastructure are blocked.
External Threat Landscape
This campaign reflects a broader shift in phishing tactics. Attackers are moving away from simple link-based attacks and adopting multi-stage approaches that rely on user interaction.
Expected Evolution
- More advanced document obfuscation
- Increased use of QR-based attacks
- Techniques to bypass multi-factor authentication
Targeted Sectors
- Finance and accounting teams
- Procurement and supply chain functions
- Organizations with high transaction volumes
Industries operating under tight financial deadlines are especially vulnerable.
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique |
|---|---|---|
| Initial Access | T1566.001 | Spear Phishing Attachment |
| Initial Access | T1566.002 | Spear Phishing Link |
| Execution | T1204.002 | User Execution |
| Credential Access | T1056.003 | Web Portal Capture |
| Defense Evasion | T1027 | Obfuscated Files |
| Defense Evasion | T1036 | Masquerading |
| Collection | T1056 | Input Capture |
Conclusion
This phishing campaign demonstrates a well-organized and adaptable attack strategy. By combining realistic business communication with multi-step delivery methods, attackers are able to bypass traditional defenses and increase their chances of success.
The use of modular infrastructure allows them to quickly adapt and continue operations even when parts of their system are disrupted. Given the focus on financial roles and high-activity periods, the potential impact includes credential theft, unauthorized access, and financial loss.
Organizations must treat this as a serious and ongoing threat requiring continuous monitoring and proactive defense measures.
Recommendations
To reduce risk, organizations should adopt a layered security approach:
Email Security
- Use advanced filtering for attachments
- Sandbox PDF files before delivery
- Flag suspicious external emails
Access Control
- Enforce multi-factor authentication
- Monitor unusual login activity
- Apply conditional access policies
Network Protection
- Block newly registered domains
- Monitor redirection patterns
- Use web filtering tools
User Awareness
- Train finance and procurement teams
- Educate users on PDF-based phishing
- Encourage verification of financial requests
Incident Response
- Monitor indicators of compromise
- Prepare response plans for credential leaks
- Update detection rules regularly
CyberP1 Opinion
From our point of view, this campaign highlights how phishing attacks have quietly evolved rather than dramatically changed. Instead of relying on obvious tricks or poorly written emails, attackers are now focusing on subtlety and timing. This makes the threat far more dangerous because it blends into normal business activity rather than standing out as suspicious.
What stands out most is the deliberate targeting of finance-related workflows. Attackers clearly understand how organizations operate during financial closing periods. Employees are often under pressure, handling large volumes of transactions, and working within strict deadlines. In such an environment, even trained professionals can overlook minor inconsistencies in emails or documents. The attackers are not forcing urgency—they are exploiting routine.
Another important aspect is the shift toward multi-stage phishing. By introducing PDFs as an intermediate step, attackers are effectively bypassing traditional security tools that focus on detecting malicious links directly in emails. This layered approach also gives them more flexibility. If one part of the attack is detected, they can simply replace or modify that component without redesigning the entire campaign.
The use of QR codes is also worth noting. It reflects a growing trend where attackers move beyond desktop-based attacks and target user behavior across devices. Many users trust QR codes more than links, which makes this method particularly effective.
In our view, the biggest challenge for organizations is not just technical—it is behavioral. Security tools can only go so far if users continue to interact with suspicious content. This campaign proves that even well-crafted defenses can be bypassed when attacks are designed around human behavior.
Going forward, organizations need to focus equally on technology and awareness. Training should not just cover obvious phishing signs but also more subtle indicators, especially in document-based attacks. At the same time, detection systems must evolve to analyze multi-stage interactions rather than single events.
Overall, this campaign is a strong reminder that phishing is no longer a simple threat. It is structured, adaptive, and deeply aligned with real-world business processes.
