In the first campaign, the attackers impersonated FedEx by sending out emails with the subject line “You have a new FedEx sent to you”. These emails contain some information about the document in order to make it appear more legitimate along with links to view it.
Clicking on the link inside the email takes victims to a file hosted on Quip which is an additive tool for Salesforce that provides documents, spreadsheets, slides and chat services. However, as the service has a free version, it was likely what the attackers behind the campaign used to host their landing page.
- We've built a list of the best endpoint protection software around
- Keep your devices virus free with the best malware removal software
- Also check out our roundup of the best antivirus software
Once a user clicks on the link on the landing page hosted on Quip, it takes them to the final phishing page that resembles the Microsoft login portal and here the attackers are able to harvest user's email credentials. It's worth noting that this final page is hosted on Google Firebase in an effort to fool people as well as email security technologies into thinking the link is legitimate.
DHL Express phishing attack
In the second phishing campaign observed by the Armorblox threat research team, cybercriminals used an email impersonating DHL Express to once again trick users into giving up their credentials.
This email, with the subject line “Your parcel has arrived”, includes the victim's email address at the end of the title and explains that their parcel arrived at their local post office but couldn't be delivered due to incorrect delivery details. It also has shipping documents attached to it that victims will need to check if they want to receive their delivery.
While labeled as a Microsoft Office document, the email attachment is actually an HTML file that previews a spreadsheet when opened. However, the preview is layered over with a login request box that impersonates Adobe. While it could be possible that the attackers were trying to phish for Adobe credentials, it's more likely that they were trying to get victims' work email credentials instead.
To prevent falling victim to these and other similar phishing campaigns, Armorblox recommends that organizations augment their native email security with additional controls, watch out for social engineering cues and use two-factor authentication as well as a password manager.
- We've also highlighted the best disaster recovery services