DHL Impersonator Uses Spoofed Email and Microsoft CAPTCHA to Trick Targets in Phishing Attack
In this credential phishing attack, threat actors impersonate DHL and email the target a fake delivery notification. Using a spoofed email address, the attacker sends a message informing the target they have a package ready for delivery but the address on file is invalid. To increase the appearance of legitimacy, the threat actor sets the display name to “Track My Delivery” and incorporates impersonated DHL branding into the body of the email. The recipient is instructed to use the embedded link to verify their address, and a note beneath the button informs them the link will expire three days from the date sent to manufacture a sense of urgency. Should the target click on the button labeled “Verify Your Address”, they will first be prompted with a Microsoft CAPTCHA and then directed to a Microsoft login portal. However, the login screen is actually a phishing page, and any information entered will be stolen by the attacker.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed email address, uses legitimate links inside the message, and contains no attachments. Modern AI-powered email security solutions detect suspicious links in the email, identify that the sender is unknown to the recipient, and recognize that the sending domain does not match any of the domains in the body links to correctly flag this email as an attack.
To protect against these threats, users should verify delivery notifications by accessing the shipping company’s official website directly, rather than clicking on links in unsolicited emails. Educating employees about recognizing phishing tactics and deploying advanced security tools are essential steps in mitigating these increasingly sophisticated attacks.
Malicious email using impersonated DHL branding to trick customers into divulging sensitive information
Fake Microsoft CAPTCHA used to increase appearance of legitimacy and build trust
Spoofed Microsoft portal designed to steal sensitive information
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Legitimate Links Included: The email includes links associated with recognizable domains, which can pass through basic link verification checks due to their legitimate structure.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.