FedEx and DHL phishing emails target Microsoft users

The campaign aims to steal credentials using spoof phishing pages hosted on legitimate domains

FedEx envelopes stacked messily on top of one another

Security researchers have discovered FedEx and DHL Express phishing attempts targeting about 10,000 mailboxes.

IT security firm Armorblox wrote in a blog post that both attacks hit Microsoft email users to steal credentials and used spoof phishing pages hosted on legitimate domains, including those from Quip and Google Firebase, to sidestep security filters.

“The email titles, sender names and content did enough to mask their true intention and make victims think the emails were really from FedEx and DHL Express respectively,” said Armorblox researchers. 

“Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.”

One attack spoofed FedEx with an email titled “You have a new FedEx sent to you” followed by the email’s send date. The email contains information about a document to make it seem legitimate and links to view the supposed document.

When a victim clicks on the link, it takes them to a file hosted on Quip, an additive Salesforce tool that offers documents, spreadsheets, slides, and chat services. Quip has a free version, which is likely what the attackers used to host this page. 

“We have observed a continuing trend of malicious actors hosting phishing pages on legitimate services like Google Sites, Box and Quip (in this case),” said researchers. 

“Most of these services have free versions and are easy to use, which make them beneficial for millions of people around the world, but unfortunately also lower the bar for cybercriminals to launch successful phishing attacks.”

The spoofed Quip-hosted page is titled “You have received some incoming FedEx files” and features a large FedEx logo to build trust. On the site is a link where victims can review the phony document. 

Once the user clicks the link, it directs them to a phishing page that resembles the Microsoft login portal the hackers hosted on Google Firebase, a platform for creating mobile and web applications.

If the victim enters incorrect login details, the page reloads the login portal with an error message asking the victim to enter the correct information. According to researchers, “this might point to some backend validation mechanism in place that checks the veracity of entered details.”

Related Resource

The State of Email Security 2020

Email security insights at your email perimeter, inside your organisation, and beyond

Email security insights at your email perimeter, inside your organisation, and beyondDownload now

The researchers added the “attackers might be looking to harvest as many email addresses and passwords as possible and the error message will keep appearing regardless of the details entered.”

In the second phishing campaign, the email sender's name comes up as “DHL Express,” and the subject line is “Your parcel has arrived,” with the victim’s email address at the end. 

The email informs victims a parcel has arrived for them at the “post office,” but DHL couldn’t deliver it due to incorrect delivery details.

The email guides victims to check the attached shipping documents for instructions to receive their delivery. Downloading and opening the HTML previews a spreadsheet that looks like shipping documents, but a login request box impersonating Adobe covers it.

“The email field in the login box was pre-filled with the victim’s work email,” said researchers. “Attackers are banking on victims to think before they act and enter their work email password into this box without paying too much attention to the Adobe branding.”

As with the FedEx phishing attack, entering incorrect details on this page returns an error message asking the victim to enter the correct information.

“Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible,” said Preet Kumar, director of customer success at Armorblox. 

Kumar continued, “Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email.”

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
PowerShell threats increased over 200% last year
cyber security

PowerShell threats increased over 200% last year

14 Apr 2021
Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021
New DNS vulnerabilities put millions of IoT devices at risk
Internet of Things (IoT)

New DNS vulnerabilities put millions of IoT devices at risk

13 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
NSA uncovers new "critical" flaws in Microsoft Exchange Server
servers

NSA uncovers new "critical" flaws in Microsoft Exchange Server

14 Apr 2021