Spoofed DHL Email with Malicious QR Code Targets Recipients in Likely AI-Generated Credential Theft Attempt
In this likely AI-generated phishing attack, cybercriminals impersonate DHL by sending an email from a spoofed address. The email, with the subject line “Delivery Notification: Incorrect Address on File,” claims that the delivery of the recipient's package cannot be completed due to an incorrect address. Recipients are urged to update their address by scanning a QR code in the attached PDF. When scanned, the QR code first redirects the recipient to a Microsoft CAPTCHA and then a malicious website designed to steal sensitive credentials. By mimicking the branding and communication style of official DHL emails and creating a sense of urgency around the delivery, the attacker seeks to exploit the recipient's trust and prompt immediate action.
Older, legacy email security systems may fail to detect such attacks, as the message originates from a spoofed email, contains no links, and uses no malicious attachments. Modern AI-driven email security solutions, however, detect that the sender is unknown to the recipient, the mismatch between the domain and name of the sender, and the presence of QR codes to correctly identify incoming threats.
To protect against such scams, recipients should independently verify package notifications by accessing shipping updates directly through DHL’s official website or app rather than interacting with unsolicited emails or attachments. Educating employees about the risks of scanning unknown QR codes and investing in advanced email security tools are vital measures to defend against these increasingly sophisticated phishing attacks.
Likely AI-generated phishing email posing as a DHL notification
PDF attached to initial email containing malicious QR code designed to trick targets into providing access to sensitive information
Fake security verification step designed to increase appearance of legitimate correspondence
Malicious lookalike portal that will steal any sensitive information entered
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Lack of Links: The absence of links in the email body helps it avoid detection by legacy systems that typically rely on link scanning to identify phishing emails.
- Lack of Malicious Attachments: By not including suspicious attachments such as HTML attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
- Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.
- Attachment with QR Code: The presence of an attachment containing a QR code prompts Abnormal’s systems to scrutinize and flag the email for potential malicious activities, as this is not a common method used by legitimate internal communications.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.