Security Experts:

Connect with us

Hi, what are you looking for?



US Government Contractors Targeted in Evolving Phishing Campaign

Threat actors are impersonating various US government departments in phishing attacks targeting the Microsoft 365 credentials of government contractors.

Threat actors are impersonating various US government departments in phishing attacks targeting the Microsoft 365 credentials of government contractors.

Since at least mid-2019, the attackers have been observed sending phishing messages spoofing the US Departments of Commerce, Labor, or Transportation to target organizations in various sectors, with a focus on energy and professional services, including construction.

These targeted emails, which claim to request bids for government projects, are well crafted and very convincing, and were seen bypassing protections offered by secure email gateways (SEGs).

According to phishing prevention and detection firm Cofense, the phishing campaigns have evolved with improved emails and lure PDFs, as well as with updated appearance and behavior of the employed phishing pages.

Some of the most recent attacks have been spoofing .gov email addresses, using logos, consistent formatting, signature blocks, and detailed instructions to increase their sense of legitimacy. The attackers also switched from sending the lure PDF as an attachment to including a link to the document.

US government phishing

The recently observed lure PDFs are featuring the logo of the spoofed government department on the first page, with details about an alleged bidding process placed on the second page, along with the lure to clicking an included link.

The documents also provide more information relevant to the victim, and feature customized metadata that closely resembles that associated with an authentic invitation-for-bid toolkit PDF, Cofense says.

Once the victim clicks on the phishing link in the lure document, they are taken to an initial page that mimics the home page of the spoofed government department, but which includes an extra red button encouraging the victim to click it in order to bid.

To increase the legitimacy of the page, the attackers use HTTPS and specifically emulate government-bid-related themes, informing the victim that they should provide Microsoft Office credentials in order to enter the bidding. A captcha is also served to the victim.

After the credentials are exfiltrated, the victims are redirected to the relevant government department’s legitimate webpage, with no hint whether they have successfully completed the bidding process. However, the lure PDFs specifically instruct the victims not to submit their credentials twice.

“These campaigns are convincing from start to finish and make use of preexisting data copied from legitimate sources in order to mislead victims. The consistent impersonation of a United States federal department is carried out each time with updated information including watermarks on PDFs and information on the credential phishing pages,” Cofense notes.

Related: Google Blocks Chinese Phishing Campaign Targeting U.S. Government

Related: Microsoft: 10,000 Organizations Targeted in Large-Scale Phishing Campaign

Related: APT Group Using Voice Changing Software in Spear-Phishing Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...