FedEx and DHL phishing emails target Microsoft users

The campaign aims to steal credentials using spoof phishing pages hosted on legitimate domains

FedEx envelopes stacked messily on top of one another

Security researchers have discovered FedEx and DHL Express phishing attempts targeting about 10,000 mailboxes.

IT security firm Armorblox wrote in a blog post that both attacks hit Microsoft email users to steal credentials and used spoof phishing pages hosted on legitimate domains, including those from Quip and Google Firebase, to sidestep security filters.

“The email titles, sender names and content did enough to mask their true intention and make victims think the emails were really from FedEx and DHL Express respectively,” said Armorblox researchers. 

“Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.”

One attack spoofed FedEx with an email titled “You have a new FedEx sent to you” followed by the email’s send date. The email contains information about a document to make it seem legitimate and links to view the supposed document.

When a victim clicks on the link, it takes them to a file hosted on Quip, an additive Salesforce tool that offers documents, spreadsheets, slides, and chat services. Quip has a free version, which is likely what the attackers used to host this page. 

“We have observed a continuing trend of malicious actors hosting phishing pages on legitimate services like Google Sites, Box and Quip (in this case),” said researchers. 

“Most of these services have free versions and are easy to use, which make them beneficial for millions of people around the world, but unfortunately also lower the bar for cybercriminals to launch successful phishing attacks.”

The spoofed Quip-hosted page is titled “You have received some incoming FedEx files” and features a large FedEx logo to build trust. On the site is a link where victims can review the phony document. 

Once the user clicks the link, it directs them to a phishing page that resembles the Microsoft login portal the hackers hosted on Google Firebase, a platform for creating mobile and web applications.

If the victim enters incorrect login details, the page reloads the login portal with an error message asking the victim to enter the correct information. According to researchers, “this might point to some backend validation mechanism in place that checks the veracity of entered details.”

Related Resource

The State of Email Security 2020

Email security insights at your email perimeter, inside your organisation, and beyond

Email security insights at your email perimeter, inside your organisation, and beyondDownload now

The researchers added the “attackers might be looking to harvest as many email addresses and passwords as possible and the error message will keep appearing regardless of the details entered.”

In the second phishing campaign, the email sender's name comes up as “DHL Express,” and the subject line is “Your parcel has arrived,” with the victim’s email address at the end. 

The email informs victims a parcel has arrived for them at the “post office,” but DHL couldn’t deliver it due to incorrect delivery details.

The email guides victims to check the attached shipping documents for instructions to receive their delivery. Downloading and opening the HTML previews a spreadsheet that looks like shipping documents, but a login request box impersonating Adobe covers it.

“The email field in the login box was pre-filled with the victim’s work email,” said researchers. “Attackers are banking on victims to think before they act and enter their work email password into this box without paying too much attention to the Adobe branding.”

As with the FedEx phishing attack, entering incorrect details on this page returns an error message asking the victim to enter the correct information.

“Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible,” said Preet Kumar, director of customer success at Armorblox. 

Kumar continued, “Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email.”

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Microsoft touts new cyber security help for nonprofits
cyber security

Microsoft touts new cyber security help for nonprofits

22 Oct 2021
A quarter of all malicious JavaScript is obfuscated
hacking

A quarter of all malicious JavaScript is obfuscated

20 Oct 2021
Organizations warned of ransomware risk from smaller operators
ransomware

Organizations warned of ransomware risk from smaller operators

19 Oct 2021
Iranian hacking group continues to target US citizens
hacking

Iranian hacking group continues to target US citizens

18 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021