When the Hiring Process Becomes a Security Liability

Every government agency hires. That means every government agency has an HR inbox - and right now, threat actors are treating that inbox as an open door.

Security researchers and government cybersecurity advisories have documented a growing class of attack in which malicious actors submit fake job applications carrying weaponized attachments. The files look unremarkable: a PDF resume, a Word document cover letter, a ZIP file containing a “portfolio.” But embedded inside these files are tools specifically designed to kill endpoint detection and response (EDR) software before the real payload is ever deployed.

For state and local government IT teams, this is not a theoretical concern. Many government agencies still accept direct email applications - meaning a single HR coordinator’s inbox is a live attack surface that receives unsolicited files from strangers every single day.

How EDR-Killing Attacks Work

Understanding the threat begins with understanding the mechanics. Modern attackers don’t just bring malware - they bring tools to blind your defenses first.

The BYOVD Technique

One of the most dangerous methods is called Bring Your Own Vulnerable Driver (BYOVD). The attacker bundles a legitimate but outdated, signed Windows kernel driver with their malware package. Because the driver carries a valid Microsoft Authenticode signature, Windows loads it without complaint. Once running at kernel level, the driver can terminate EDR processes, remove hooks used by security software to monitor system calls, and completely unload security agents from memory.

The insidious part: the initial document doesn’t have to contain malware itself. It may simply execute a macro or a script that downloads stage-two components, using the BYOVD driver as the “cleaner” that clears the way. By the time your SOC gets an alert - if they get one at all - the EDR may already be neutralized.

The Document Delivery Chain

Fake job application attacks follow a predictable pattern: a lure email arrives with a job-related PDF, DOCX, or ZIP attachment; the file prompts “Enable Editing” or runs a script via a shortcut (.lnk) or ISO file; a dropper downloads the BYOVD driver and EDR-terminator toolkit; the kernel driver disables EDR hooks and antivirus real-time protection; and finally, the attacker deploys ransomware, a remote access trojan (RAT), or a data exfiltration tool.

The 2024 Midnight Blizzard spear-phishing campaign, documented by the Microsoft Threat Intelligence team, demonstrated how government-sector employees are specifically targeted with carefully crafted lures - these are not random attacks but deliberate, targeted operations.

Why Government HR Is an Especially Attractive Target

Government HR departments present several characteristics that make them compelling targets:

• Low security awareness density - HR professionals are typically not trained cybersecurity practitioners. They are accustomed to opening attachments because doing so is their job.
• Privileged network position - HR workstations often have access to personnel systems, Active Directory, and financial platforms - a lateral movement goldmine once compromised.
• Predictable behavior - Attackers know that during peak hiring seasons, HR inboxes are flooded, increasing the likelihood that a malicious file is opened without scrutiny.
• Public job postings - Government listings are public record, which means attackers know exactly what roles to impersonate and which departments to target.

The Microsoft Defense-in-Depth Answer

Microsoft’s security stack - already licensed by most government agencies through M365 GCC or Azure Government - provides multiple overlapping controls that can detect and stop this attack chain at every stage.

Layer 1 - Stop the Malicious File Before It Reaches the Inbox

Microsoft Defender for Office 365 Safe Attachments provides detonation-based scanning of email attachments before delivery. Rather than relying on signature matching, Safe Attachments opens suspicious files in an isolated virtual environment and observes their behavior. If the file attempts to execute code, reach out to an external URL, or manipulate system processes, it is blocked before the HR coordinator ever sees it.

Learn more: Safe Attachments in Microsoft Defender for Office 365

For M365 GCC tenants, Safe Attachments should be configured with the Block action (not Dynamic Delivery) for HR distribution groups and shared mailboxes that accept external attachments.

Layer 2 - Protect the EDR Agent Itself from Being Killed

This is the critical defense that directly counters the EDR-killing attack. Microsoft Defender for Endpoint Tamper Protection prevents malicious processes - including BYOVD kernel drivers - from disabling or modifying Defender’s core security settings. When enabled, real-time protection cannot be turned off via registry edits, PowerShell, or third-party processes; virus and threat protection settings are locked; and behavioral monitoring cannot be disabled by running processes.

Even if a BYOVD driver reaches the kernel, it cannot successfully unload or blind Microsoft Defender for Endpoint - the attack chain breaks at the defense evasion step.

Learn more: Prevent changes to security settings with Tamper Protection

Layer 3 - Attack Surface Reduction Rules Block the Execution Chain

Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint are policy-based controls that prevent specific behaviors commonly used in malware delivery. Several are directly relevant to fake resume attacks:

• Block executable content from email client and webmail - Prevents executables, scripts, and macro-enabled Office files from launching directly from an Outlook attachment.
• Block all Office applications from creating child processes - Stops a malicious Word or Excel document from spawning PowerShell, cmd.exe, or other processes.
• Block Office applications from creating executable content - Prevents macro-enabled documents from writing executables or scripts to disk.
• Block JavaScript or VBScript from launching downloaded executable content - Interrupts a common dropper pattern where a script downloads and executes a second-stage payload.

Learn more: Attack surface reduction rules reference

Important for government agencies: ASR rules should first be deployed in Audit mode for at least 30 days before switching to Block mode. This is especially relevant in government environments where legacy document workflows may trigger false positives.

Layer 4 - Behavioral Blocking Catches What Signatures Miss

Fileless and BYOVD attacks are designed to evade signature-based detection. Microsoft Defender for Endpoint’s behavioral blocking and containment uses machine learning and AI to analyze process trees, API call patterns, and memory behavior in real time - even for threats already executing. If a process attempts to inject into a security agent or modify kernel structures, Defender for Endpoint can contain the threat and raise an incident for SOC investigation.

Learn more: Behavioral blocking and containment in Defender for Endpoint

Layer 5 - Controlled Folder Access as a Ransomware Backstop

If the ultimate goal is ransomware deployment, Controlled Folder Access provides a final layer of protection by preventing unauthorized applications from modifying files in protected directories. Even if EDR evasion partially succeeds, the ransomware payload will be blocked from encrypting documents, downloads, and other critical folders.

Learn more: Protect important folders with controlled folder access

Why This Matters for Government

State and local government agencies operate under unique constraints that make this threat particularly acute:

Budget and staffing realities mean that many agencies lack dedicated SOC teams monitoring every alert in real time. Layered, automated defenses that stop attacks before human review is required are not a luxury - they are a necessity.

Public records and open government requirements mean that job postings, HR contact information, and personnel structures are publicly accessible. Attackers can conduct highly targeted reconnaissance at zero cost before crafting their lure.

High-value data stores sit adjacent to HR systems. A compromised HR workstation may have network access to voter registration databases, court systems, public safety networks, or financial ledgers - the blast radius of a successful compromise extends far beyond the HR department.

GCC tenant limitations do not impede these defenses. Tamper Protection, ASR rules, behavioral blocking, and Safe Attachments all function identically in M365 GCC environments.

If your agency accepts job applications by email, your HR inbox is an attack surface. The question is not whether threat actors are aware of this - they are. The question is whether your defenses are configured to match the sophistication of the attack.

Recommended Actions for Government IT Leaders

1. Audit your HR email flows - Identify all inboxes, shared mailboxes, and distribution groups that receive external attachments related to hiring.
2. Enable Safe Attachments with Block action for all HR-related mailboxes in your Defender for Office 365 configuration.
3. Verify Tamper Protection is enabled across all endpoints, managed through Microsoft Intune or Configuration Manager, and confirmed active in the Microsoft Defender portal.
4. Deploy ASR rules in Audit mode for at least 30 days, then promote email and Office-related rules to Block mode after reviewing the audit data.
5. Enable Controlled Folder Access on endpoints used by HR and finance personnel.
6. Review Defender for Endpoint onboarding coverage - HR workstations should be verified as fully onboarded and reporting.
7. Conduct tabletop exercises that include an HR-inbox malware scenario so your team knows the response playbook before an incident occurs.

The tools to defend against this threat are already in your Microsoft licensing agreement. The work is in the configuration - and that configuration work is significantly less costly than a ransomware recovery.

For more information on configuring Microsoft Defender for Endpoint and Defender for Office 365 in government environments, visit Microsoft Learn and the Microsoft Security blog.