From a local county email address, asking me to ‘please complete the required training’. Takes you to a hacked wordpress site (based on the wp-crons URL)
Gives a fairly standard fake OWA login page
Then asks for more info
Note: DD/MM/YYYY not MM/DD/YYYY oddly. Are they targeting Europe?
Then you have to ‘wait’ for security (i.e. make it look like it’s doing something)
Then you get a nice word doc. Oddly it didn’t redirect me (was that bit broken?), but commonly they will bounce you over to the real outlook site.
Throwing it at Virus Total doesn’t find anything
I used an online viewer to check the document and it really is an employee evaluation form
This is to try to make the recipient not question it, at least not until later when they try to take the completed for to HR!
Stay safe out there