Researchers reported Tuesday that they found two email phishing attacks targeting at least 10,000 mailboxes at FedEx and DHL Express that look to extract a user’s work email account.

In a blog released by Armorblox, the researchers said one attack impersonates a FedEx online document share and the other pretends to share shipping details from DHL. The phishing pages were hosted on free services such as Quip and Google Firebase to trick security technologies and users into thinking the links were legitimate.

According to the researchers, the two email attacks employed a broad range of techniques to get past traditional email security filters and pass the “eye tests” of unsuspecting end users:

  • Social engineering. The email titles, sender names, and content did enough to mask their true intention and make victims think the emails were from FedEx and DHL. Emails informing users of FedEx scanned documents or missed DHL deliveries are common, so most users tend to take quick action on these emails instead of studying them in detail.  
  • Brand impersonation. In the FedEx attack, the final phishing page spoofs an Office 365 portal packed with Microsoft branding. Requiring Microsoft account credentials to view an invoice document also passes the “logic test” because most people get documents, sheets, and presentations from colleagues every day that consists of the same workflow. The DHL attack payload uses Adobe for its impersonation attempt, with the same underlying logic. 
  • Hosted on Quip and Google Firebase. The FedEx attack flow has two pages, the first one hosted on Quip and the final phishing page hosted on Google Firebase. The inherent legitimacy of these domains lets the email  get past security filters built to block known bad links and files. 
  • Link redirects and downloads. The FedEx attack flow has two redirects, and the DHL attack includes an HTML attachment rather than a URL for its phishing goals. These modified attack flows obfuscate the true final phishing page, another common technique used to fool security technologies that attempt to follow links to their destinations and check for fake login pages.   

Chris Hazelton, director of security solutions at Lookout, said there are few brands like FedEx and DHL (also UPS)  that can quickly capture the attention of targets. With most people stuck at home – many recipients anticipate something they bought online being delivered to them. This includes business transactions where threat actors are mimicking delivery services to trick people into giving up credentials to their organization’s cloud services. 

“They want to get people to click what they think is a valid link and then present them with a fake login page that they will recognize,” Hazelton said. “If the fake page appears convincing enough, then many users will login without thinking about it. These are the risks of cloud services – while they are accessible from any browser, many users inherently trust login screens they recognize. Hackers will also send text messages instead of email because many users don’t think about phishing attacks on mobile, so they’re more likely to respond to a phishing text than email.”

Tom Pendergast, chief learning officer at MediaPro, added that Armorblox does a good job of identifying the technical details of this phish, but there’s also the human side and that’s the same old story: phishes preying on the trust humans place in known brands.

“People trust brands the way they trust friends—and thus they tend to overlook some oddities in behavior that they’d never accept from a ‘stranger,’” Pendergast said. “That’s why we have to be so diligent about not taking anything in our inbox or online at face value.”