In this likely AI-generated phishing attack, cybercriminals impersonate shipping provider DHL and send the target a notification regarding an issue with their delivery. The attacker uses a spoofed email address with a sender display name formatted to appear as if the message is sent from DHL. The email, which contains DHL branding, informs the target their address could not be located and requests that the recipient scan the QR code in an attached PDF file to update their contact information so that the package can be delivered to the correct address. However, should the recipient scan the QR code, they will be directed to a phishing page designed to steal sensitive information. By leveraging the trusted brand of DHL and the urgency of ensuring timely delivery, the attacker hopes to manipulate the recipient into scanning the QR code, potentially disclosing private information.

Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed email address, uses a malicious QR code, and contains convincing AI-generated content. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, flag the mismatch between the sender name and sending domain, and detect a suspicious QR code in the attachment to correctly identify this as an attack.

Status Bar Dots
SCR 20240830 lgjm

Phishing email impersonating DHL inquiring about a correction to a delivery address

Status Bar Dots
SCR 20240830 lgye

Malicious QR code attached to email that leads to users compromising their credentials

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker spoofs a legitimate email address, bypassing basic email verification checks and adding perceived authenticity.
  • QR Code Usage: The use of a QR code to direct recipients to a malicious site can bypass traditional link-scanning mechanisms used by legacy security tools.
  • AI-Generated Content: Using AI to generate professional and convincing content helps the email bypass security measures that rely on detecting poorly written phishing attempts.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
  • Sender Name and Domain Mismatch: The sender name (dhlexpressi) does not match the sender domain, raising further suspicion during Abnormal’s analysis.
  • Suspicious Attachment and QR Code: The presence of a PDF attachment containing a QR code prompts Abnormal’s systems to scrutinize and flag the email for potential malicious activities, as this is not a common method used by legitimate internal communications.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Fake Attachment
Spoofed Display Name
Masked Phishing Link

Theme

Fake Shipping Notification

Impersonated Party

Brand

Impersonated Brands

DHL

AI Generated

Likely

See How Abnormal Stops Emerging Attacks

See a Demo