In this credential phishing attack, the threat actor impersonates shipping provider DHL and emails the recipient a failed delivery notification. After spoofing an email address hosted on the domain of a legitimate, Brazil-based telecommunications provider, the attacker sends the target an email claiming that their package could not be delivered because the sender failed to pay the necessary fees. To increase the appearance of legitimacy, the perpetrator convincingly incorporates DHL’s branding into both the initial email as well as the phishing pages. The recipient is prompted to use the included link to confirm their address and submit payment for the outstanding charges. However, should the target click on the embedded button, they will be redirected to a phishing page—also hosted on the Brazilian telecommunications provider’s website—designed to steal sensitive information, including credit card details.

Older, legacy email security tools struggle to accurately identify this email as an attack because it appears to originate from a seemingly legitimate email address, employs sophisticated social engineering techniques, and lacks malicious attachments. Modern, AI-powered email security solutions recognize the spoofed sender address, detect suspicious links in the message, and analyze the content to correctly flag this email as an attack.

Status Bar Dots
SCR 20240719 jpxs

Malicious email impersonating DHL and attempting to manipulate recipient using social engineering

Status Bar Dots
Screenshot 2024 03 06 at 12 11 58 PM

Phishing site convincingly mimicking DHL’s branding 

Status Bar Dots
Screenshot 2024 03 06 at 12 12 51 PM

Penultimate page of the phishing site, designed to steal target’s personal information

Status Bar Dots
Screenshot 2024 03 06 at 12 13 46 PM

Last page in the phishing site, designed to steal target’s credit card information

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker uses a spoofed email address "noreply@grupofonelight[.]com.br" that adds a layer of perceived authenticity and can allow the message to bypass basic email verification checks.
  • Social Engineering Tactic: The email attempts to prompt immediate action without scrutiny by manufacturing a sense of urgency related to the failed package delivery.
  • Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Spoofed Email Detection: Abnormal detects that the email is sent from a spoofed address, which contributes to the suspicious nature of the message and triggers further analysis.
  • Suspicious Link Analysis: The link directing the recipient to confirm the shipment and pay fees raises suspicion, prompting Abnormal’s systems to scrutinize and flag the email for potential malicious activities.
  • Content Analysis: Abnormal’s advanced content analysis algorithms flag the urgent message about unpaid fees and delayed delivery as a common phishing tactic.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Spoofed Email Address
Masked Phishing Link
Branded Phishing Page

Theme

Fake Shipping Notification

Impersonated Party

Brand

Impersonated Brands

DHL

See How Abnormal Stops Emerging Attacks

See a Demo