Awardco Employee Rewards Platform Phishing Campaign

18 August 2025

By Hiwot Mendahun, Ankit Gutpa and Mimecast Threat Research Team

Campaign Overview

Hiwot Mendahun, Ankit Gupta and the Mimecast Threat Research team has identified an extensive, multi-month campaign targeting organizations by impersonating Awardco, a widely used employee rewards and recognition platform. This campaign is attributed to a threat operation internally tracked as MCT03028 and represents a significant human risk challenge as it exploits the universal expectation that employees receive communications about workplace rewards, benefits, and recognition programs.

Unlike targeted attacks that focus on specific roles or departments, Awardco impersonation can effectively target entire organizations since all employees typically interact with rewards platforms and expect to receive related notifications. Since May 2025, threat actors have demonstrated remarkable persistence and sophistication, utilizing various compromised accounts, multiple redirect services, and diverse delivery methods to maintain campaign effectiveness. The attacks leverage the inherent trust employees place in legitimate workplace benefits communications, making this particularly dangerous from a human risk management perspective. Employees naturally expect communications about rewards programs, performance recognition, and benefit updates, creating an ideal social engineering opportunity for threat actors.

The campaigns have evolved over the four-month period, demonstrating the threat actors' adaptability and resource availability. Initially utilizing simple redirects through compromised domains, the operation has progressed to incorporate sophisticated multi-stage redirect chains, QR code delivery mechanisms, SMS-based distribution, and abuse of legitimate security services.

This evolution indicates a well-resourced threat operation with continuous development capabilities. The psychological effectiveness of this campaign stems from its exploitation of legitimate workplace processes. Unlike suspicious external communications, Awardco notifications appear to originate from expected business processes, significantly reducing employee suspicion and increasing engagement rates.

Technical Analysis

The threat actors have employed multiple redirect chain variations throughout the campaigns, demonstrating sophisticated evasion capabilities. The following represents one example from August 1st 2025 where a total of 9 redirects were used including a CAPTCHA page before the final phishing page.

The campaigns demonstrate consistent technical patterns including Base64 encoding, legitimate service abuse (AWS SES, Sophos, Google Sites), and strategic use of compromised business email accounts to enhance credibility. The threat actors show preference for Amazon SES accounts, likely compromised, with some utilization of Office 365 accounts for distribution.

Mimecast Protection

Mimecast has implemented detection for Awardco impersonation campaigns. Our threat research team continues to monitor for changes in tactics and techniques used by these threat actors to ensure our customers remain protected against evolving attack vectors.

Indicators of Compromise (IOCs)

Redirect Infrastructure abused:

• c.podium.co - Click tracking service by Podium
• sites.google.com - Google Sites
• sales-engage.com - HubSpot Sales Engage service
• eu-central-1.protection.sophos.com - Sophos link rewrite service
• 86nxjchv.r.us-east-1.awstrack.me - AWS tracking
• mop.bz - URL shortening service

Phishing pages hosted on:

• Soundorama[.]com/index[.]html
• Soundorama[.]com/lol[.]html
• tuicorp[.]com/awardco[.]html
• capnco[.]com/go/iex[.]html

Phone Numbers:

• (417) 397-7374 (SMS-based delivery)

Subjects

• Your $400 eGift Card Will Expire Today
• Awardco $200 Point Expiry Alert
• URGENT: Awardco Admin Access Will Expire in 5 Hours
• Congratulation!!!

Recommendations

Email Security Controls

• Analyze advanced redirect chains ensuring that you are able to follow complete sequences through multiple legitimate services
• Implement specific detection rules for AWS SES abuse patterns combined with employee benefits themes and Awardco branding
• Deploy real-time QR code analysis for embedded phishing links and suspicious redirection patterns

User Security Awareness Training

• Educate all employees about Awardco impersonation risks, emphasizing universal targeting rather than role-specific threats
• Train users to verify rewards program communications through established internal channels before clicking any links
• Conduct comprehensive phishing simulations incorporating multiple attack vectors: email links, QR codes, and SMS-based scenarios

Proactive Threat Hunting

• Search email receipt logs for matching email subject lines
• Review URL click logs for matching phishing pages
• Monitor for unusual redirect patterns involving legitimate security services (Sophos, Google Sites) combined with rewards themes
• Search for SMS-based social engineering attempts mentioning rewards programs or account reactivation

Monitoring

• Implement monitoring for sequential redirects through multiple legitimate services, particularly those involving employee benefits branding
• Monitor for unusual authentication events following suspected Awardco impersonation attempts