IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

FedEx and DHL phishing emails target Microsoft users

The campaign aims to steal credentials using spoof phishing pages hosted on legitimate domains

Security researchers have discovered FedEx and DHL Express phishing attempts targeting about 10,000 mailboxes.

IT security firm Armorblox wrote in a blog post that both attacks hit Microsoft email users to steal credentials and used spoof phishing pages hosted on legitimate domains, including those from Quip and Google Firebase, to sidestep security filters.

“The email titles, sender names and content did enough to mask their true intention and make victims think the emails were really from FedEx and DHL Express respectively,” said Armorblox researchers. 

“Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.”

One attack spoofed FedEx with an email titled “You have a new FedEx sent to you” followed by the email’s send date. The email contains information about a document to make it seem legitimate and links to view the supposed document.

When a victim clicks on the link, it takes them to a file hosted on Quip, an additive Salesforce tool that offers documents, spreadsheets, slides, and chat services. Quip has a free version, which is likely what the attackers used to host this page. 

“We have observed a continuing trend of malicious actors hosting phishing pages on legitimate services like Google Sites, Box and Quip (in this case),” said researchers. 

“Most of these services have free versions and are easy to use, which make them beneficial for millions of people around the world, but unfortunately also lower the bar for cybercriminals to launch successful phishing attacks.”

The spoofed Quip-hosted page is titled “You have received some incoming FedEx files” and features a large FedEx logo to build trust. On the site is a link where victims can review the phony document. 

Once the user clicks the link, it directs them to a phishing page that resembles the Microsoft login portal the hackers hosted on Google Firebase, a platform for creating mobile and web applications.

If the victim enters incorrect login details, the page reloads the login portal with an error message asking the victim to enter the correct information. According to researchers, “this might point to some backend validation mechanism in place that checks the veracity of entered details.”

Related Resource

The State of Email Security 2020

Email security insights at your email perimeter, inside your organisation, and beyond

Email security insights at your email perimeter, inside your organisation, and beyondDownload now

The researchers added the “attackers might be looking to harvest as many email addresses and passwords as possible and the error message will keep appearing regardless of the details entered.”

In the second phishing campaign, the email sender's name comes up as “DHL Express,” and the subject line is “Your parcel has arrived,” with the victim’s email address at the end. 

The email informs victims a parcel has arrived for them at the “post office,” but DHL couldn’t deliver it due to incorrect delivery details.

The email guides victims to check the attached shipping documents for instructions to receive their delivery. Downloading and opening the HTML previews a spreadsheet that looks like shipping documents, but a login request box impersonating Adobe covers it.

“The email field in the login box was pre-filled with the victim’s work email,” said researchers. “Attackers are banking on victims to think before they act and enter their work email password into this box without paying too much attention to the Adobe branding.”

As with the FedEx phishing attack, entering incorrect details on this page returns an error message asking the victim to enter the correct information.

“Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible,” said Preet Kumar, director of customer success at Armorblox. 

Kumar continued, “Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email.”

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Protecting healthcare from cybercrime
Whitepaper

Protecting healthcare from cybercrime

25 May 2022
The truth about cyber security training
Whitepaper

The truth about cyber security training

25 Apr 2022
The truth about cyber security training
Whitepaper

The truth about cyber security training

25 Apr 2022

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022