Using their knowledge that humans are more likely to make mistakes when they feel fear and urgency, attackers impersonate DHL and request that the recipient “kindly do the needful” to check shipping documents. The HTML attachment included in the email links to a what appears to be a Microsoft 365 login page but is actually a phishing page set up on Azure where the URL continually changes. 

Upon clicking the HTML attachment, the target simply sees a login page, where they may quickly enter their Microsoft account credentials in order to access the shipping information they believe they have received. 

Status Bar Dots
62bcc034ae64632071b39679 1266161734
Status Bar Dots
62bcc034ae6463f638b396a4 1819738490

Why It Bypassed Traditional Security

Attackers can create new phishing links and new email addresses from which to host and send their attacks quite programmatically—making them hard to detect. These URLs and new email addresses are unknown to threat intelligence, as they often take a few days to flag as malicious, after which hundreds of thousands of attacks can be sent. In this case, the lookalike domain is similar to which the user may believe is sending them shipping notifications, but which has no indication of bad domain activity for the solution to detect. 

Detecting the Attack

To stop this attack, it is important to understand which brands and industries are most impersonated. Knowing that shipping companies (and DHL specifically) are often used in brand impersonation means that these emails undergo additional scrutiny. In addition, behavioral systems must look at sender-recipient patterns, alongside links and attachments, to understand when an email deviates from the known baseline. 

Risk to Organization

If the target were to open the link and enter his information, access to the entire Microsoft 365 account would be provided to the attacker. From there, threat actors could look for sensitive information and use the account to send more dangerous emails like those used in business email compromise attacks. 

Analysis Overview




Credential Theft


Free Webmail Account


Fake Shipping Notification

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo