As the first quarter comes to a close, employees are preparing for Q1 evaluations that reflect their performance, highlight areas for growth and set the stage for Q2 goals. Cybercriminals are seizing on this period of anticipation by launching phishing campaigns disguised as official company initiatives tied to end-of-quarter processes. The security research team has observed a phishing email campaign designed to exploit authority, urgency, and familiarity. These messages aim to deceive eager and unsuspecting employees by mimicking legitimate communications, ultimately tricking them into revealing sensitive information.

This phishing campaign strategically targets employees during Q1 evaluations, capitalizing on the anticipation surrounding performance reviews and goal-setting. Masquerading as messages from the “Human Capital” department, the emails exploit employees’ trust in HR-related communications. By using psychological triggers like urgency and authority, attackers lure recipients into interacting with malicious content, with the goal of stealing sensitive information such as login credentials.

Phishing Email Design and Urgency Tactics:

The phishing emails are carefully designed to look authentic, appearing to come from the company’s HR department with subject lines like “Act Now: Q1 Updates Deadline March 31!” The message stresses alignment with company goals, listing “Mandatory Actions” such as “Goal-Setting Deadline” and “Q1 Achievement” to create a sense of urgency and importance. A malicious link, disguised as “click here to visit Q1 Wrap-Up Hub in the employee portal,” includes a 3-day deadline, further pressuring employees to act quickly and overlook potential red flags.

Data Harvesting via JotForm Survey:

Clicking the malicious hyperlink leads users to a JotForm survey at hXXps://form[.]jotform[.]com/250025696182053, which is designed to resemble a legitimate pre-access authentication page. It prompts employees to enter their name and department—steps that appear routine for accessing internal documents. This social engineering tactic builds credibility while quietly collecting valuable data for future, more targeted attacks. The associated infection URL, hXXps://fmuas[.]r[.]ag[.]d[.]sendibm3[.]com/mk/cl/f/sh/SMK1E8tHeFuBm02jG51eTIgSrtto/ANtGc_Nfbczm, is hosted on IP addresses including 1[.]179[.]112[.]195, 1[.]179[.]112[.]196 and 1[.]179[.]112[.]197.

Redirect to Spoofed Microsoft Login Page:

After submitting their information through the survey, users are redirected to a spoofed Microsoft login page that closely replicates the official interface. Hosted at deceptive URLs such as hXXps://ekamtahjzr8yjo05vmqiiwkvw20vqi7aixd1dzf04trrc0nki1gohjj06p[.]freyaxw[.]es/jhatlzqxtfgnuip and hXXps://bsukd2[.]dmuok[.]es/n9IzCybq, this fake login page prompts users to enter their Microsoft credentials. If submitted, these credentials are captured by attackers, enabling full account takeovers. The associated payload is distributed through IP addresses including 151[.]101[.]130[.]133, 151[.]101[.]66[.]133, 13[.]77[.]50[.]115, 151[.]101[.]2[.]133 and 151[.]101[.]194[.]133.

Social Engineering and Multi-Stage Attack Strategy:

The effectiveness of this campaign relies on its ability to bypass user skepticism by imitating familiar workflows. The JotForm survey mimics standard internal verification processes, while the fake Microsoft login page leverages trust in commonly used corporate systems. Once credentials are stolen, the consequences can be severe ranging from internal data breaches and malware infections to ransomware attacks and unauthorized access to sensitive corporate systems. This multi-stage approach allows attackers to collect enough information to escalate their efforts, potentially targeting higher-value assets within the organization.

Conclusion:

This HR-themed phishing campaign highlights the growing sophistication of modern cyberattacks, strategically timed to exploit the Q1 evaluation period and employee trust in internal communications. Through clever social engineering and highly convincing spoofed interfaces, attackers are able to efficiently harvest credentials—paving the way for data breaches, ransomware, and broader network compromise. To defend against these evolving threats, organizations must adopt a proactive security posture that includes robust email filtering, multi-factor authentication, and ongoing employee awareness training.