DHL Impersonator Leverages Spoofed Email and Mimicked Branding in Credential Theft Attempt
In this phishing attack, cybercriminals send an email from a spoofed address impersonating DHL, a trusted global shipping provider, to deceive recipients with a fabricated shipping alert. The message claims that the recipient's shipment has been delayed due to the package exceeding the weight limit and requires a small additional fee of €0.45 to complete the delivery process. The recipient is instructed to click on the provided link to pay the fee and informed that if they fail to submit payment, their shipment will not be re-delivered. However, should they click on the button labeled “Confirm and Complete”, they will be redirected to a phishing site designed to steal sensitive information, such as payment details. To obfuscate the true URL destination, the attacker uses a URL shortener. The cybercriminal also ensures the email closely replicates the structure, style, and branding cues typical of legitimate correspondence from DHL, blending recognizable elements to enhance its perceived authenticity and increase the likelihood of deceiving recipients into divulging private information.
Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a spoofed email address, employs the use of a legitimate link, and lacks malicious attachments. Modern, AI-powered email security solutions flag that the sender is unknown to the recipient, detect links to suspicious domains, and recognize that the sender domain does not match any domains in the message to correctly identify the email as an attack.
Phishing attack posing as a notification from DHL regarding a shipment issue
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Legitimate Link: The link redirects through a link shortener website, which can pass through basic link verification checks due to its seemingly legitimate structure.
- Absence of Malicious Attachments: The email avoids including attachments, which can be easily flagged by antivirus systems, and instead uses a suspicious link to evade detection.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.