10K Microsoft Email Users Hit in FedEx Phishing Attack

FedEx DHL Express Phishing attack

Microsoft users are receiving emails pretending to be from mail couriers FedEx and DHL Express – but that really steal their credentials.

Researchers are warning of recent phishing attacks targeting at least 10,000 Microsoft email users, pretending to be from popular mail couriers – including FedEx and DHL Express.

Threatpost Webinar February Promo

Click to Register

Both scams have targeted Microsoft email users and aim to swipe their work email account credentials. They also used phishing pages hosted on legitimate domains, including those from Quip and Google Firebase – allowing the emails to slip by security filters built to block known bad links.

“The email titles, sender names and content did enough to mask their true intention and make victims think the emails were really from FedEx and DHL Express respectively,” said researchers with Armorblox on Tuesday. “Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.”

FedEx Phishing Emails: Using Quip, Google Firebase

The phishing email spoofing American multinational delivery services company FedEx was entitled, “You have a new FedEx sent to you,” with a date that the email was sent.

This email contained some information about the document to make it seem legitimate – such as its ID, number of pages and type of document – along with a link to view the supposed document. If the recipients clicked on the email, they would be taken to a file hosted on Quip. Quip, which comes in a free version, is tool for Salesforce that offers documents, spreadsheets, slides, and chat services.

Fedex phishing attack

An example of the FedEx phishing attack. Credit: Armorblox

“We have observed a continuing trend of malicious actors hosting phishing pages on legitimate services like Google Sites, Box and Quip (in this case),” said researchers. “Most of these services have free versions and are easy to use, which make them beneficial for millions of people around the world, but unfortunately also lower the bar for cybercriminals to launch successful phishing attacks.”

This page contained the FedEx logo and was titled “You have received some incoming FedEx files.” It then included a link for victims to review the supposed document. Once the victims clicked on this page, they would finally be taken to a phishing page that resembled the Microsoft login portal, which is hosted on Google Firebase, a platform developed by Google for creating mobile and web applications. Google Firebase has increasingly been utilized by phishing attacks over the past year to sidestep detection.

Of note, if a victim enters their credentials on the page, it re-loaded the login portal with an error message asking the victim to enter correct details.

“This might point to some backend validation mechanism in place that checks the veracity of entered details,” said researchers. “Alternately, attackers might be looking to harvest as many email addresses and passwords as possible and the error message will keep appearing regardless of the details entered.”

DHL Express Phishing Attack: Curious Adobe Login Prompt

A separate campaign impersonated German international courier DHL Express, with emails telling recipients that “Your parcel has arrived,” with their email addresseses at the end of the title.

The email told recipients that a parcel could not be delivered to them due to incorrect delivery details – and that the parcel is instead ready for pickup at the post office.

Fedex phishing attack

An example of the phishing landing page. Credit: Armorblox

The email prompted recipients to check out attached “shipping documents” if they want to receive their delivery. The attached document was an HTML file (titled “SHIPPING DOC”) that, when opened, previewed a spreadsheet that looked like shipping documents.

The preview was  layered over with a login request box impersonating Adobe’s PDF reader. Researchers noted that it’s possible that attackers were trying to phish for Adobe credentials – but it’s more likely that they were trying to get victims’ work email credentials.

“The email field in the login box was pre-filled with the victim’s work email,” said researchers. “Attackers are banking on victims to think before they act and enter their work email password into this box without paying too much attention to the Adobe branding.”

Similarly to the FedEx phishing attack, when victims entered their details on this page, it returned an error message.

Tapping into COVID-19 Trends

With COVID-19 making more people turn to online platforms for purchasing goods, groceries and various household accessories – rather than in-person stores – online shipping is at an all-time high.

Cybercriminals are tapping into this, as seen in these recent phishing emails – but they have also leveraged many other tinely lures, from Covid-19 relief funds,  vaccine rollouts and personal protective equipment (PPE) needs.

“During the pandemic, we have all been getting online deliveries, often contactless deliveries and being in mail correspondence with FedEx/DHL is thus a common part of our lives now,” Preet Kumar, director of Customer Success at Armorblox told Threatpost. “Attackers are banking on victims buying into the legitimacy of this email and taking quick action without thinking about it too much.”

Threatpost WEBINAR: Is your small- to medium-sized business an easy mark for attackers? Save your spot for 15 Cybersecurity Gaffes SMBs Make,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.

Suggested articles