Microsoft’s users around the world are receiving emails that appear as though they came from FedEx and DHL Express mail couriers.
Researchers at Armorblox who discovered the campaign say at least 10,000 Microsoft email users became targets of these attacks.
FedEx Phishing Emails
“The email titles, sender names, and content did enough to mask their true intention and make victims think the emails were really from FedEx and DHL Express respectively,” wrote researchers in a blog post on Tuesday.
The email mimicking FedEx had enticing titles like “You have a new FedEx sent to you.” When the recipients clicked on links in the email, they would be taken to a file hosted on Quip. The page looked legitimate too: it contained the FedEx logo and was titled “You have received some incoming FedEx files.”
Upon clicking the victims would be taken to a phishing page that resembled a Microsoft login page and was hosted on Google Firebase.
Once a victim enters their credentials on the page, the data is in the hands of the fraudsters.
DHL Express Emails
The emails mimicking DHL had the title “Your parcel has arrived” and prompted recipients to check the attached “shipping documents.” The attached HTML file opened a spreadsheet that closely resembled a shipping document.
The page had a login box that resembled Adobe’s PDF reader.
Researchers argued that either attackers wanted to phish for Adobe credentials or that they were trying to steal victims’ work email credentials.
“The email field in the login box was pre-filled with the victim’s work email,” said researchers. “Attackers are banking on victims to think before they act and enter their work email password into this box without paying too much attention to the Adobe branding.”
This is a known tactic when fraudsters use phishing pages hosted on legitimate domains, such as Quip and Google Firebase so that the emails evade security filters that block only known bad links.
Quip and Google Firebase have easy-to-use free versions and have increasingly been abused by threat actors in the past year to sidestep detection.
Armorblox researchers advise to be vigilant, look out for social-engineered emails, and follow 2FA and password best practices.