10K Microsoft Email Users Hit in FedEx Phishing Attack

Microsoft users are receiving emails pretending to be from mail couriers FedEx and DHL Express – but that really steal their credentials.


Lindsey O'Donnell

Researchers are warning of recent phishing attacks targeting at least 10,000 Microsoft email users, pretending to be from popular mail couriers – including FedEx and DHL Express.

Both scams have targeted Microsoft email users and aim to swipe their work email account credentials. They also used phishing pages hosted on legitimate domains, including those from Quip and Google Firebase – allowing the emails to slip by security filters built to block known bad links.

“The email titles, sender names and content did enough to mask their true intention and make victims think the emails were really from FedEx and DHL Express respectively,” said researchers with Armorblox on Tuesday. “Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.”

FedEx Phishing Emails: Using Quip, Google Firebase

The phishing email spoofing American multinational delivery services company FedEx was entitled, “You have a new FedEx sent to you,” with a date that the email was sent.

This email contained some information about the document to make it seem legitimate – such as its ID, number of pages and type of document – along with a link to view the supposed document. If the recipients clicked on the email, they would be taken to a file hosted on Quip. Quip, which comes in a free version, is tool for Salesforce that offers documents, spreadsheets, slides, and chat services.

“We have observed a continuing trend of malicious actors hosting phishing pages on legitimate services like Google Sites, Box and Quip (in this case),” said researchers. “Most of these services have free versions and are easy to use, which make them beneficial for millions of people around the world, but unfortunately also lower the bar for cybercriminals to launch successful phishing attacks.”

This page contained the FedEx logo and was titled “You have received some incoming FedEx files.” It then included a link for victims to review the supposed document. Once the victims clicked on this page, they would finally be taken to a phishing page that resembled the Microsoft login portal, which is hosted on Google Firebase, a platform developed by Google for creating mobile and web applications. Google Firebase has increasingly been utilized by phishing attacks over the past year to sidestep detection.

DHL Express Phishing Attack: Curious Adobe Login Prompt

A separate campaign impersonated German international courier DHL Express, with emails telling recipients that “Your parcel has arrived,” with their email addresses at the end of the title.

The email told recipients that a parcel could not be delivered to them due to incorrect delivery details – and that the parcel is instead ready for pickup at the post office.

The email prompted recipients to check out attached “shipping documents” if they want to receive their delivery. The attached document was an HTML file (titled “SHIPPING DOC”) that, when opened, previewed a spreadsheet that looked like shipping documents.

The preview was layered over with a login request box impersonating Adobe’s PDF reader. Researchers noted that it’s possible that attackers were trying to phish for Adobe credentials – but it’s more likely that they were trying to get victims’ work email credentials.

“The email field in the login box was pre-filled with the victim’s work email,” said researchers. “Attackers are banking on victims to think before they act and enter their work email password into this box without paying too much attention to the Adobe branding.”

Similarly to the FedEx phishing attack, when victims entered their details on this page, it returned an error message.

Tapping into COVID-19 Trends

With COVID-19 making more people turn to online platforms for purchasing goods, groceries and various household accessories – rather than in-person stores – online shipping is at an all-time high.

Cybercriminals are tapping into this, as seen in these recent phishing emails – but they have also leveraged many other timely lures, from Covid-19 relief funds, vaccine rollouts and personal protective equipment (PPE) needs.

“During the pandemic, we have all been getting online deliveries, often contactless deliveries and being in mail correspondence with FedEx/DHL is thus a common part of our lives now,” Preet Kumar, director of Customer Success at Armorblox told Threatpost. “Attackers are banking on victims buying into the legitimacy of this email and taking quick action without thinking about it too much.”



19 views0 comments

Click 'Subscribe Now' To Keep up to Date on News, Events, and New Releases.... 


© 2023 by Proven WebDesigns.

Public Wi-Fi Security

  • Facebook
  • LinkedIn
  • Twitter