DHL Fake Shipping Notification Used in HTML Credential Phishing Attack
Using their knowledge that humans are more likely to make mistakes when they feel fear and urgency, attackers impersonate DHL and request that the recipient “kindly do the needful” to check shipping documents. The HTML attachment included in the email links to a what appears to be a Microsoft 365 login page but is actually a phishing page set up on Azure where the URL continually changes.
Upon clicking the HTML attachment, the target simply sees a login page, where they may quickly enter their Microsoft account credentials in order to access the shipping information they believe they have received.
Why It Bypassed Traditional Security
Attackers can create new phishing links and new email addresses from which to host and send their attacks quite programmatically—making them hard to detect. These URLs and new email addresses are unknown to threat intelligence, as they often take a few days to flag as malicious, after which hundreds of thousands of attacks can be sent. In this case, the lookalike domain is similar to safecart.com which the user may believe is sending them shipping notifications, but which has no indication of bad domain activity for the solution to detect.
Detecting the Attack
To stop this attack, it is important to understand which brands and industries are most impersonated. Knowing that shipping companies (and DHL specifically) are often used in brand impersonation means that these emails undergo additional scrutiny. In addition, behavioral systems must look at sender-recipient patterns, alongside links and attachments, to understand when an email deviates from the known baseline.
Risk to Organization
If the target were to open the link and enter his information, access to the entire Microsoft 365 account would be provided to the attacker. From there, threat actors could look for sensitive information and use the account to send more dangerous emails like those used in business email compromise attacks.