Security Experts:

Connect with us

Hi, what are you looking for?



US Government Contractors Targeted in Evolving Phishing Campaign

Threat actors are impersonating various US government departments in phishing attacks targeting the Microsoft 365 credentials of government contractors.

Threat actors are impersonating various US government departments in phishing attacks targeting the Microsoft 365 credentials of government contractors.

Since at least mid-2019, the attackers have been observed sending phishing messages spoofing the US Departments of Commerce, Labor, or Transportation to target organizations in various sectors, with a focus on energy and professional services, including construction.

These targeted emails, which claim to request bids for government projects, are well crafted and very convincing, and were seen bypassing protections offered by secure email gateways (SEGs).

According to phishing prevention and detection firm Cofense, the phishing campaigns have evolved with improved emails and lure PDFs, as well as with updated appearance and behavior of the employed phishing pages.

Some of the most recent attacks have been spoofing .gov email addresses, using logos, consistent formatting, signature blocks, and detailed instructions to increase their sense of legitimacy. The attackers also switched from sending the lure PDF as an attachment to including a link to the document.

US government phishing

The recently observed lure PDFs are featuring the logo of the spoofed government department on the first page, with details about an alleged bidding process placed on the second page, along with the lure to clicking an included link.

The documents also provide more information relevant to the victim, and feature customized metadata that closely resembles that associated with an authentic invitation-for-bid toolkit PDF, Cofense says.

Once the victim clicks on the phishing link in the lure document, they are taken to an initial page that mimics the home page of the spoofed government department, but which includes an extra red button encouraging the victim to click it in order to bid.

To increase the legitimacy of the page, the attackers use HTTPS and specifically emulate government-bid-related themes, informing the victim that they should provide Microsoft Office credentials in order to enter the bidding. A captcha is also served to the victim.

After the credentials are exfiltrated, the victims are redirected to the relevant government department’s legitimate webpage, with no hint whether they have successfully completed the bidding process. However, the lure PDFs specifically instruct the victims not to submit their credentials twice.

“These campaigns are convincing from start to finish and make use of preexisting data copied from legitimate sources in order to mislead victims. The consistent impersonation of a United States federal department is carried out each time with updated information including watermarks on PDFs and information on the credential phishing pages,” Cofense notes.

Related: Google Blocks Chinese Phishing Campaign Targeting U.S. Government

Related: Microsoft: 10,000 Organizations Targeted in Large-Scale Phishing Campaign

Related: APT Group Using Voice Changing Software in Spear-Phishing Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.