IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

FedEx and DHL phishing emails target Microsoft users

The campaign aims to steal credentials using spoof phishing pages hosted on legitimate domains

Security researchers have discovered FedEx and DHL Express phishing attempts targeting about 10,000 mailboxes.

IT security firm Armorblox wrote in a blog post that both attacks hit Microsoft email users to steal credentials and used spoof phishing pages hosted on legitimate domains, including those from Quip and Google Firebase, to sidestep security filters.

“The email titles, sender names and content did enough to mask their true intention and make victims think the emails were really from FedEx and DHL Express respectively,” said Armorblox researchers. 

“Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.”

One attack spoofed FedEx with an email titled “You have a new FedEx sent to you” followed by the email’s send date. The email contains information about a document to make it seem legitimate and links to view the supposed document.

When a victim clicks on the link, it takes them to a file hosted on Quip, an additive Salesforce tool that offers documents, spreadsheets, slides, and chat services. Quip has a free version, which is likely what the attackers used to host this page. 

“We have observed a continuing trend of malicious actors hosting phishing pages on legitimate services like Google Sites, Box and Quip (in this case),” said researchers. 

“Most of these services have free versions and are easy to use, which make them beneficial for millions of people around the world, but unfortunately also lower the bar for cybercriminals to launch successful phishing attacks.”

The spoofed Quip-hosted page is titled “You have received some incoming FedEx files” and features a large FedEx logo to build trust. On the site is a link where victims can review the phony document. 

Once the user clicks the link, it directs them to a phishing page that resembles the Microsoft login portal the hackers hosted on Google Firebase, a platform for creating mobile and web applications.

If the victim enters incorrect login details, the page reloads the login portal with an error message asking the victim to enter the correct information. According to researchers, “this might point to some backend validation mechanism in place that checks the veracity of entered details.”

Related Resource

The State of Email Security 2020

Email security insights at your email perimeter, inside your organisation, and beyond

Email security insights at your email perimeter, inside your organisation, and beyondDownload now

The researchers added the “attackers might be looking to harvest as many email addresses and passwords as possible and the error message will keep appearing regardless of the details entered.”

In the second phishing campaign, the email sender's name comes up as “DHL Express,” and the subject line is “Your parcel has arrived,” with the victim’s email address at the end. 

The email informs victims a parcel has arrived for them at the “post office,” but DHL couldn’t deliver it due to incorrect delivery details.

The email guides victims to check the attached shipping documents for instructions to receive their delivery. Downloading and opening the HTML previews a spreadsheet that looks like shipping documents, but a login request box impersonating Adobe covers it.

“The email field in the login box was pre-filled with the victim’s work email,” said researchers. “Attackers are banking on victims to think before they act and enter their work email password into this box without paying too much attention to the Adobe branding.”

As with the FedEx phishing attack, entering incorrect details on this page returns an error message asking the victim to enter the correct information.

“Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible,” said Preet Kumar, director of customer success at Armorblox. 

Kumar continued, “Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email.”

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

The truth about cyber security training
Whitepaper

The truth about cyber security training

25 Apr 2022
The truth about cyber security training
Whitepaper

The truth about cyber security training

25 Apr 2022
The Total Economic Impact™ of Mimecast
Whitepaper

The Total Economic Impact™ of Mimecast

25 Apr 2022
The Total Economic Impact™ of Mimecast
Whitepaper

The Total Economic Impact™ of Mimecast

25 Apr 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022