Phishing Attack Impersonating FedEx Steal Personal and Financial Data Using Captcha Protection and MFA Bypass

In this attack, the initial email posed as a notification from FedEx that indicated a package for the recipient was awaiting delivery that required confirmation within the next 48 hours. A button marked “Continue” followed this message that supposedly led to a confirmation page. The email contained FedEx branding and included links to the legitimate FedEx privacy policy page. The message was sent from a likely compromised external account and the display name of the sender was set to “FedEx” to look like it was the one sending the email.

Had the recipient clicked on the Continue button, they would have been directed to a phishing site that was protected with a captcha, which is used to prevent automated bots from reaching the phishing site.

Once the captcha code was entered, the recipient would have been shown a screen that indicated their package was being tracked, then a following page would appear stating that some tracking information was missing and the delivery details could not be verified. The recipient then would have been guided through a series of prompts requesting various pieces of personal information required to track and receive the package. 

The first prompt asked for the recipient’s full name and phone number to “start tracking your package.”

The next prompt indicated the package “is still in our warehouse” and asked for the recipient’s delivery address.

The next prompt indicated that the recipient’s address had been updated and requested credit card information for a $2.50 “transport fee” so the package could be processed. This prompt also requested the recipient’s date of birth.

The final prompt asked the recipient to verify the payment by entering a verification code that would be sent to the phone number previously provided. In reality, it is likely that the verification code request was being used as a multi-factor authentication (MFA) bypass tactic, allowing the attacker access to a recipient’s online account.

The URL found in the email is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. Because this email was sent from a legitimate account that has been compromised without a history of abuse, there are no direct signals indicating the email’s origin is malicious.

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis, a cloud email security platform understands when an email may be malicious. The sending display name matches a known brand (FedEx), but the sending email address has never been associated with that brand.

Because the phishing link was disguised to look like a simple button, an employee receiving the email may click on the link without recognizing it is malicious. Had the employee clicked on the link and entered the requested information, it is likely that their credit card would have been compromised, leading to fraudulent transactions, and other personal information collected by the attacker could be used in future fraudulent activity. This is true even if the recipient has enhanced security measures on their accounts because the attack used sophisticated MFA bypass tactics. If the recipient had been an executive assistant or an employee that handles company mail, it’s possible that this attack could have had a direct financial impact to an organization by compromising a corporate credit card.