publishing date icon
September 25, 2020
read time icon
5 min. read

Widespread authority phishing campaigns with different templates

Author image
Joakim Kiuru
Threat Analyst
Post hero image

Table of contents

share this post

During the past week, we have seen a new authority phishing campaign emerge at a worldwide scale, with a complete disregard for countries and industries. This campaign has been advertised through several different templates. All of the messages clearly come from the same larger attack wave. We have noticed that these phishing emails were sent for the first time on the 15th of September, and we are still seeing the same campaign going around.All of the templates in this campaign are impersonations of authority figures within the recipients’ companies. The core idea in all of the templates is to shortly introduce an interesting topic and make the recipient curious enough to click on the link. The link would lead people to a PDF document containing more information.

The topics of the phishing campaign vary

The specific topic that raises curiosity varies. Some of the phishing emails are about lay-offs, annual bonus reports, or advice regarding customer complaint situations.What is common in all of these emails is the short but effective introduction. The attacker starts the messages in an interesting way. This is perhaps the most visible in the templates concerned with lay-offs. The recipient immediately reads that their contract with the company has been terminated. The topic is very relevant in these times, when many companies are struggling. Since nobody wants to read this sentence sent in an email, this is highly effective in raising emotions and urgent curiosity.

Simple, but convincing emails

The templates used for these phishing emails share a very simple format. The emails look simple enough to convince the recipient, at a quick glance, that they are real because they look simple enough to be plausible. There are no graphics such as logos or properly personalized signatures that could make the emails look more convincing. The sender of the email is also not spoofed, which certainly adds another layer of trustworthiness to the email.

Examples of authority phishing emails

Below you will find some (anonymized) examples of what the phishing emails looked like in this ongoing campaign. The real names of the recipients have been changed to ‘Bob’, and the names of the companies have been changed to ‘Hoxhunt’. The impersonated names in the signatures of the emails are fake.

Subject: RE: Report of Hoxhunt employee

authority phishing

Subject: FYI: Hoxhunt Employees Termination list — Confirmation Required

authority phishing example Employees Termination list — Confirmation Required

Subject: Re: Hoxhunt termination list

authority phishing example termination list

Subject: [Lastname], annual report

authority phishing annual report

Subject: FW: Urgent: Hoxhunt: A Customer Complaint Request — Prompt Action Required

authority phishing customer complaint

The links that the recipients were supposed to click on were links to Google Docs. We presume that the recipient would have found some kind of a graphic there requesting them to follow another link in order to log in with their credentials and view the document. The landing pages were unfortunately down already, so we did not get a chance to see where the links led to. All of these messages were sent from Sendgrid, which is a popular email delivery service for companies. Unfortunately, a lot of phishing messages like these are sent from Sendgrid. In a few attack vectors, the links led to sites hosted on

Subscribe to All Things Human Risk

Subscribe to our newsletter for a curated digest of the latest news, articles, and resources on human risk and evolving phishing threats in the ever-changing landscape.

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.