Recruitment agency Michael Page warns that a phishing campaign is impersonating its consultants to push Ursnif data-stealing malware to exfiltrate credentials and sensitive data from infected computers.

michael page phishing attack heimdal security

Image Source: Michael Page

Operating in 36 countries globally as part of the British-based PageGroup recruitment business, Michael Page is a provider of permanent, contract, and temporary recruitment for clerical professionals, qualified professionals, and executives across multiple disciplines.

The company confirmed that the recruitment consultancy’s servers haven’t been breached and threat actors are only spoofing employees in the phishing emails sent to random targets.

Those who have received one of the fraudulent emails or any suspicious email coming from Michael Page are urged “not to reply or click” on any of the embedded links.

We have been made aware of a global phishing campaign where employees from companies are being impersonated. We are confident that no PageGroup system has been compromised. These phishing emails are being generated from publicly available information not linked to our business and are being then sent on to random email recipients. We strongly advise if you have received a suspicious email, not to reply or click on any link.


Hackers impersonating Michael Page UK recruiters are luring targets with executive positions, BleepingComputer reports.

According to a cybersecurity professional known as TheAnalyst, the embedded links are redirecting potential victims to phishing landing pages with GeoIP and antibot checks.

Once the victims access the landing page, they are asked to download archives with malicious macro-enabled Microsoft Excel spreadsheets (XSLM) and featuring DocuSign branding. The targets are then asked to enable editing to decrypt and open the document.

Once they’ve done so, a decoy document with information on a fake management position is presented to them, while in the background the Ursnif malware payload is downloaded and installed on their computer.

michael page phishing campaign image heimdal security

Image Source: InQuest

According to MITRE,

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links. Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.

Attackers as prolific as Ursnif are constantly trying to find new ways to distribute their malicious payloads while drawing as little attention as possible.

Following the attack, Michael Page asked for vigilance when it comes to online activity and issued some recommendations that can help you protect against such incidents:

  • Install anti-virus software and keep it up-to-date.
  • Update your browser with the latest version.
  • Make sure that the email addresses or websites are valid.
  • Don’t fall for promises of cash/car/holidays; handle this type of emails carefully.
  • Never provide personal/financial information to an unknown or suspicious sender.

Phishing Sites Now Able To Detect Virtual Machines

New Initial Access Tool ‘NimzaLoader’ Spreads via Phishing Emails

Leave a Reply

Your email address will not be published. Required fields are marked *