A new phishing campaign has been uncovered impersonating logistics giant DHL to try and steal Microsoft 365 credentials from victims in the education industry, experts has claimed.
Cybersecurity researchers from Armorblox recently discovered a major phishing campaign, with more than 10,000 emails sent to inboxes belonging to a “private education institution”.
The email is made to look as if it’s coming from DHL: it carries the company branding as well as tone of voice one might associate with the shipping giant. In the email, titled “DHL Shipping Document/Invoice Receipt” the recipient is informed that a customer sent a parcel to the wrong address and that the correct delivery address needs to be provided.
Fake login popup
The email obviously comes with an attachment, conveniently titled “Shipping Document Invoice Receipt” which, if opened, looks like a blurred-out preview of a Microsoft Excel file.
Over the blurred-out document pops up a Microsoft login page, trying to trick the victims into thinking they need to log into their Microsoft 365 accounts in order to view the contents of the file. Should the victims provide the login credentials, they’d go straight to the attackers.
“The email attack used language as the main attack vector in order to bypass both Microsoft Office 365 and EOP email security controls,” Armorblox explained. “These native email security layers are able to block mass spam and phishing campaigns and known malware and bad URLs. However, this targeted email attack bypassed Microsoft email security because it did not include any bad URLs or links and included an HTML file that included a malicious phishing form.”
As the researchers said, the attackers used a valid domain which allowed them to bypass Microsoft’s email authentication checks.
The best way for businesses to protect against phishing attacks is to train their employees to spot red flags in their inboxes, such as the sender’s email address, typos and spelling errors in the email, the sense of urgency (legitimate emails will almost never require the user to react urgently), and unexpected links/attachments.
We listed the best ID theft protection services today