Security researchers Armorblox warn of phishing attacks which have so far targeted at least 10.000 Microsoft email users. The emails sent as part of this campaign are supposed to come from courier companies including FedEx and DHL Express. The goal of malicious agents is theft credentials from the work email of unsuspecting users.
The researchers said that the titles of the emails, the names of the senders and the content tried to conceal their true intent and make the victims believe that the emails came from FedEx and DHL Express. They added that emails informing about FedEx scanned documents or DHL missed deliveries are not uncommon. Therefore most users do not check these emails for any errors or inconsistencies.
The phishing email forged by the American multinational delivery company "FedEx" has the title, "A new FedEx has been sent to you", with the date of sending the email.
This email contains some information about the document to make it appear legitimate - such as its ID, number of pages and document type - along with a link to view the supposed document. If recipients click on the email, they will be redirected to a file hosted on Quip. Quip, which is available for free version, is her tool Salesforce offering documents, spreadsheets, slides, and chat services.
This page contains the courier company logo and is entitled "You have received some incoming FedEx files.". It then displays a link for victims to re-examine the alleged document. Once victims click on this page, they are taken to a phishing page similar to Microsoft's login portal hosted on Google Firebase, a platform developed by Google for mobile and web applications. Google Firebase has been used more and more in phishing attacks in the last year to avoid detection. If a victim enters their credentials on the page, it reloads the login portal with an error message asking the victim to enter the correct information.
The researchers pointed out that this may indicate a backend validation mechanism that checks the validity of the entered data. Alternatively, attackers may search for as many email addresses and passwords as possible, and the error message will continue to appear regardless of the information entered.
A separate campaign has forged the German multinational courier company DHL Express, and sends emails telling recipients that "Their package has arrived", with their email addresses at the end of the title.
The email tells Microsoft users that a parcel cannot be delivered to them due to incorrect delivery information and that the parcel is ready for delivery in the mail. In addition, the email asks recipients to check the attached "shipping documents" if they want to receive their delivery. The attached document is an HTML file with a title SHIPPING DOC.
Similar to the phishing attack that fakes FedEx, when Microsoft email users enter their information on this page, they get an error message.
As the outbreak of his pandemic COVID-19 has made most people turn to online platforms for the purchase of goods, sending emails from courier companies is extremely high and frequent. The cybercriminals take advantage of this situation, as shown in these recent phishing emails - but have also taken advantage of many other topical lures, such as COVID-19 relief bonuses, traffic vaccines and personal protective equipment (PPE) needs.