The only thing worse than being fired is scammers fooling you into thinking you're fired

A current phishing campaign scares recipients into believing they've been sacked, when in reality they've been hacked – and infected with infostealers and other malware that means a payday for the crooks behind the scam.

The attack begins with an email that appears to be a legal notice informing recipients their employment has been terminated

While it's not unusual for scammers to play on people's fears – natural disasters, the COVID-19 pandemic (back in 2020), elections or other hot-button topics frequently appear as phishing lures – baiting people into clicking a malicious link because they think they've been canned "is brutal," said Blake Darché, head of Cloudforce One and threat intelligence at Cloudflare.

"This is this time of year when the economy slows down, and threat actors are preying on that," he told The Register.

Darché told us his team has seen 14 of its customers targeted by this emerging phishing campaign across sectors including aerospace, insurance, state government, consumer electronics, travel, and education.

The phishes have come from four different email addresses. Cloudflare hasn't attributed the attack but assumes the four handles are controlled by a single actor.

"Based on what we've seen, it does appear to be a financially motivated actor," Darché observed. "They are trying to get information off hosts, log into accounts, information stealing."

In one of these scams intercepted by Cloudflare, the email uses the subject line "Action Required: Tribunal Proceedings Against You", and includes the UK coat of arms plus a case number for the nation’s Employment Tribunal.

"This document is extremely urgent and requires your immediate action," the email warns. "Failure to comply with the instructions may result in serious legal consequences."

Recipients are also encouraged to press a “Download Document Now" button to access relevant information.

The link, of course, does not lead to any official Tribunal documents. Instead, it opens a fake Microsoft website laced with malware.

• Red team hacker on how she 'breaks into buildings and pretends to be the bad guy'
• Five Scattered Spider suspects indicted for phishing spree and crypto heists
• Data broker leaves 600K+ sensitive files exposed online
• Man accused of hilariously bad opsec as alleged cybercrime spree detailed

The scam only works on Windows machines. If the recipient tries to click the link on a Mac or iPhone, they see a banner across the top that reads: "This file cannot be opened on this device. Access it on a Windows device to view the document."

In addition to using Microsoft's logo and brand to appear legitimate, this Redmond-centric attack helps the attacker bypass security controls because the victim must retrieve the malware-laden file through more indirect means – it's not sent directly via email.

The phony court document is a RAR archive that contains a malicious Visual Basic script named "Processo Trabalhista.vbs" or "Labor Lawsuit.vbs." When executed, it downloads a Base64 encoded text file (file4.txt), saves it on the now-infected system, and then executes additional malware.

In at least one instance detected by Cloudflare, this included Ponteiro malware [PDF] – a banking trojan that steals credentials from financial websites.

"Threat actors are eager to try to drive engagement, and they're always iterating on how to do that," Darché explained, adding that just because they are using email for this social engineering scam right now doesn't mean they won't pivot at some point in the future.

"They might use another service, like LinkedIn or Facebook, to drive their objectives," he said. That objective is making money. "And they are always eager to take advantage of people." ®