HR-Themed campaign Shifts from Credentials to RMM Tools
17 October 2025
By Mimecast Threat Research Team
- Long-running credential harvesting operation conducted by MCTO3022 targeting organizations with HR department impersonation
- Campaigns employ employee handbook compliance requirements and payroll authorization requests
- Latest campaign evolution includes Adobe PDF Sign impersonation that drops PDQConnect RMM tools instead of traditional credential harvesting
- Operations demonstrate advanced social engineering combining fake employment opportunities with compliance-themed lures across multiple industries
Campaign Overview
The Mimecast Threat Research team continues to monitor credential harvesting campaign conducted by MCTO3022, which systematically targets organizations through HR department impersonation tactics. This persistent operation combines traditional employee handbook compliance lures with evolved payroll authorization schemes, demonstrating significant operational maturity and tactical adaptation over extended campaign periods. HR-themed operations typically focus on employee handbook updates and compliance requirements, leveraging organizational policies that mandate employee engagement with HR communications.
These campaigns exploit the routine nature of HR compliance processes, making malicious communications appear as standard business operations that employees are expected to complete promptly. MCTO3022 demonstrates evasion capabilities through strategic abuse of legitimate services, including SharePoint domains for initial URL hosting and Mailchimp survey platforms for credential collection. This infrastructure approach allows the threat actor to leverage the trust and deliverability associated with established business platforms while maintaining operational flexibility through rapid domain cycling and service switching.
The operation's scope extends beyond traditional credential harvesting to include recruitment-based reconnaissance, where fake regional representative positions are advertised to collect detailed applicant information. This dual-purpose approach suggests sophisticated intelligence gathering capabilities designed to support both immediate credential theft and longer-term organizational reconnaissance activities.
Latest Campaign Evolution: PDQConnect RMM Deployment
Recent campaign activity shows MCTO3022 has evolved beyond traditional credential harvesting to deploy Remote Monitoring and Management (RMM) tools, specifically PDQConnect, through their established Adobe PDF Sign payroll authorization lures. This tactical shift represents a significant escalation in the threat actor's capabilities, moving from credential theft to persistent remote access deployment.
This evolution aligns with broader industry trends where threat actors increasingly abuse legitimate RMM tools to establish persistent access while evading traditional malware detection systems. PDQConnect, being a legitimate remote management tool, often bypasses security controls that focus on detecting traditional malware signatures. This approach allows MCTO3022 to maintain long-term access to compromised systems, potentially supporting data exfiltration, lateral movement, and deployment of additional malicious tools.
Mimecast Protection
Mimecast has implemented enhanced detection capabilities targeting MCTO3022's specific tactics, including analysis of HR-themed social engineering patterns.
Targets
Multiple industries predominately US and UK
Indicators of Compromise (IOCs)
Hosting Domains:
- go[.]pardot[.]com
- fwtrack[.]dataprivacycrm[.]com
- fwtrack[.]hrcommcenter[.]com
- fwtrack[.]crmhrnotice[.]com
- fwtrack[.]strykler[.]com
- fwtrack[.]hrevalutions[.]com
Common Subject Line Patterns:
- IMPORTANT: 2024 Reviewed Employee Handbook: Task Required
- Reminder: Annual Benefits Open Enrollment!
- Employee Data Protection and Confidentiality Policy: Compulsory Acknowledgment
- HR Request: Signature Required on Business Code of Conduct Policy
- Mandatory Training Schedule for All AP Staff
- IMPORTANT: Employee Handbook- Reviewed 07/30
Immediate Actions:
- Educate users about sophisticated HR impersonation tactics, emphasizing that legitimate HR communications typically do not require immediate external link engagement or software downloads
- Conduct phishing simulations incorporating employee handbook and payroll authorization scenarios with urgent messaging and RMM tool installation requests
- Train staff to verify unusual HR communications through direct contact with HR departments using official contact methods
- Emphasize the importance of reporting suspicious employment opportunity communications that request detailed personal information or software installation
Threat Hunting:
- Search email receipt logs and URL logs for technical indicators associated with these campaigns.
Keep your edge in threat intelligence
Join thousands of security professionals who rely on our curated alerts, expert analysis, and campaign IOCs to defend against the latest cyber threats.
Sign up successful
Thank you for signing up to receive updates for our threat intelligence notifications.
We will be in touch!