FedEx and DHL phishing emails target Microsoft users

FedEx envelopes stacked messily on top of one another
(Image credit: Shutterstock)

Security researchers have discovered FedEx and DHL Express phishing attempts targeting about 10,000 mailboxes.

IT security firm Armorblox wrote in a blog post that both attacks hit Microsoft email users to steal credentials and used spoof phishing pages hosted on legitimate domains, including those from Quip and Google Firebase, to sidestep security filters.

“The email titles, sender names and content did enough to mask their true intention and make victims think the emails were really from FedEx and DHL Express respectively,” said Armorblox researchers.

“Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.”

One attack spoofed FedEx with an email titled “You have a new FedEx sent to you” followed by the email’s send date. The email contains information about a document to make it seem legitimate and links to view the supposed document.

When a victim clicks on the link, it takes them to a file hosted on Quip, an additive Salesforce tool that offers documents, spreadsheets, slides, and chat services. Quip has a free version, which is likely what the attackers used to host this page.

“We have observed a continuing trend of malicious actors hosting phishing pages on legitimate services like Google Sites, Box and Quip (in this case),” said researchers.

“Most of these services have free versions and are easy to use, which make them beneficial for millions of people around the world, but unfortunately also lower the bar for cybercriminals to launch successful phishing attacks.”

The spoofed Quip-hosted page is titled “You have received some incoming FedEx files” and features a large FedEx logo to build trust. On the site is a link where victims can review the phony document.

Once the user clicks the link, it directs them to a phishing page that resembles the Microsoft login portal the hackers hosted on Google Firebase, a platform for creating mobile and web applications.

If the victim enters incorrect login details, the page reloads the login portal with an error message asking the victim to enter the correct information. According to researchers, “this might point to some backend validation mechanism in place that checks the veracity of entered details.”


The State of Email Security 2020

Email security insights at your email perimeter, inside your organisation, and beyond


The researchers added the “attackers might be looking to harvest as many email addresses and passwords as possible and the error message will keep appearing regardless of the details entered.”

In the second phishing campaign, the email sender's name comes up as “DHL Express,” and the subject line is “Your parcel has arrived,” with the victim’s email address at the end.

The email informs victims a parcel has arrived for them at the “post office,” but DHL couldn’t deliver it due to incorrect delivery details.

The email guides victims to check the attached shipping documents for instructions to receive their delivery. Downloading and opening the HTML previews a spreadsheet that looks like shipping documents, but a login request box impersonating Adobe covers it.

“The email field in the login box was pre-filled with the victim’s work email,” said researchers. “Attackers are banking on victims to think before they act and enter their work email password into this box without paying too much attention to the Adobe branding.”

As with the FedEx phishing attack, entering incorrect details on this page returns an error message asking the victim to enter the correct information.

“Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible,” said Preet Kumar, director of customer success at Armorblox.

Kumar continued, “Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email.”

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.