Microsoft email users seem to be repeatedly be targeted by one phishing scam after another. One curious observation is that when Microsoft email users are targeted, the attacks are geared more towards the theft of credentials than performing malicious activities on the victim’s system. In a previous case involving SolarWinds, a similar password theft attempted was made. Now, in this particular case, Microsoft email users are being targeted by FedEx phishing emails.
The delivery company is being impersonated for sending spam emails that actually steal the users’ Microsoft credentials.
How are the FedEx Phishing Emails Causing Damage?
A delivery is always an attention jerker. Whether it’s to track an order once it’s shipped or to attend to a doorstep delivery… we have all dropped whatever we were doing to check on these things. This exact sentiment was exploited in this phishing scam.
The hackers sent emails posing as FedEx, the widely-used delivery service in the United States. The email subject line read, “You have a new FedEx sent to you,” appended with the date the email was sent as if to creating a sense of false timeline of a FedEx delivery.
“Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.” – Security Researchers Investing This Case.
The FedEx phishing emails contained a supposed ‘FedEx scanned document’ with proper details about the document to mask the hacking attempt. The ID, number of pages, type of document and a link to view the supposed document were all part of the cleverly constructed email body.
When the victims clicked on the spam link, they would redirect to a file hosted on Quip (a Salesforce collaboration tool). The file was hosted on a legitimate Quip domain, making it that much harder to detect the phishing attempt.
This page contained the FedEx logo and other branding aspects of the delivery company. This page did not directly have the alleged document, but rather contained a link clicking which users could review their missed FedEx document. When someone clicked this link, it took them to a valid-looking Microsoft login page. This is of course, a spoofed page. On entering the credentials, the user is showed an error message requesting him / her to enter the credentials again.
Researchers believe this is the hackers’ own mechanism of email and password validation, so they can ensure as many correct email-password pairs are captured as possible. This spoofed Microsoft login page was hosted on Google Firebase, another legitimate platform like Quip, which hosts web and mobile applications.
“We have observed a continuing trend of malicious actors hosting phishing pages on legitimate services like Google Sites, Box and Quip (in this case),” said researchers. “Most of these services have free versions and are easy to use, which make them beneficial for millions of people around the world, but unfortunately also lower the bar for cybercriminals to launch successful phishing attacks.”
The phishing emails were sent to around 10,000 Microsoft email users. Similar companies like DHL were also being impersonated for similar phishing campaigns.
Learning from the FedEx Phishing Campaign
Phishing tricks travel fast. In this case, well-known names like FedEx, DHL, Quip, and Firebase became the object of concern. Not to mention Microsoft email products. It will be only a matter of time before the same tricks are used in the Indian markets with delivery giants that we associate the most with, like Amazon or Flipkart. Also, since the pandemic hit, having goods like groceries and other items delivered to our doorstep has become so common place that it will definitely squeeze out an emotional response from the victims.
One of the primary responses to scams like these FedEx phishing emails is to treat all emails with the same cool, calculating view point. Be it work emails or personal emails.
Every email can come attached with a big headache in the form of malware or credential theft. Scan the destination pages behind each link to find out the true page you will be redirected to. Chances are it will seem legitimate, because of a spoofed domain. So then you have to look for signs on the page of brand impersonation.
You will find other methods of preventing email scams in our blog on phishing prevention. But these are manual methods. A simpler way would be to have an anti-phishing mechanism in place, guarding your email inbox. Logix provides such a mechanism in form of its Email Advanced Threat Protection solution (ATP).