Christopher Kayser, social engineering expert and president of Canadian-based firm Cybercrime Analytics, says the attack plays on two tactics favored by threat actors: obedience (cut and paste this URL) and trust (this looks like a Microsoft login page). “People think because they are on a trusted [Microsoft] platform that this is OK,” he said in an interview.
But this attack also shows the failures of security awareness training that many organizations perform. If training is effective, employees should suspect there’s something wrong when an app asks for a business email address to confirm they are human, he said, and know that it’s suspicious when they’re asked to cut and paste anything online as a way of proving they are human.
“This is an incredibly new, innovative attack method,” commented Roger Grimes, data-driven defense CISO advisor at KnowBe4. “It’s almost unfair to classify it as a Clickfix subvariant, even though it is.” However, the odds an employee will copy a long URL string as a test of their humanity has to be very, very low, he added. “It screams different and scammy even to the most unknowledgeable user. Can you see your grandparents doing this? Not me. But I’m sure some people do do it, or else the scammers would not try it,” he said.
