Fake DHL emails allow hackers to breach Microsoft 365 accounts

A laptop showing lots of email notifications
(Image credit: Shutterstock)

A new phishing campaign has been uncovered impersonating logistics giant DHL to try and steal Microsoft 365 credentials from victims in the education industry, experts has claimed.

Cybersecurity researchers from Armorblox recently discovered a major phishing campaign, with more than 10,000 emails sent to inboxes belonging to a “private education institution”. 

The email is made to look as if it’s coming from DHL: it carries the company branding as well as tone of voice one might associate with the shipping giant. In the email, titled “DHL Shipping Document/Invoice Receipt” the recipient is informed that a customer sent a parcel to the wrong address and that the correct delivery address needs to be provided.

<a href="https://project.tolunastart.com/tqsruntime/main?surveyData=Q0+ZHk1v+seerVJPB3MBeiu8DEMDIBDHisYB81cDeXB+Tl4/OZ5giQDtZEDgULgE" data-link-merchant="project.tolunastart.com"">TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out <a href="https://project.tolunastart.com/tqsruntime/main?surveyData=Q0+ZHk1v+seerVJPB3MBeiu8DEMDIBDHisYB81cDeXB+Tl4/OZ5giQDtZEDgULgE" data-link-merchant="project.tolunastart.com"" data-link-merchant="project.tolunastart.com"">our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Fake login popup

The email obviously comes with an attachment, conveniently titled “Shipping Document Invoice Receipt” which, if opened, looks like a blurred-out preview of a Microsoft Excel file. 

Over the blurred-out document pops up a Microsoft login page, trying to trick the victims into thinking they need to log into their Microsoft 365 accounts in order to view the contents of the file. Should the victims provide the login credentials, they’d go straight to the attackers.

“The email attack used language as the main attack vector in order to bypass both Microsoft Office 365 and EOP email security controls,” Armorblox explained. “These native email security layers are able to block mass spam and phishing campaigns and known malware and bad URLs. However, this targeted email attack bypassed Microsoft email security because it did not include any bad URLs or links and included an HTML file that included a malicious phishing form.”

As the researchers said, the attackers used a valid domain which allowed them to bypass Microsoft’s email authentication checks. 

The best way for businesses to protect against phishing attacks is to train their employees to spot red flags in their inboxes, such as the sender’s email address, typos and spelling errors in the email, the sense of urgency (legitimate emails will almost never require the user to react urgently), and unexpected links/attachments. 

Via: SiliconAngle

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.