Users of Microsoft Corp. email services are being targeted by a new phishing scam that sends fake messages pretending to be from FedEx Corp. and DHL International GmbH, threat researchers at Armorblox revealed. 

The two email attacks, one which impersonates a FedEx online document share, and the other pretending to share shipping details from DHL Express, aimed to extract victims' work email account credentials. Phishing pages were hosted on free services like Quip and Google Firebase to trick security technologies, such as Exchange Online Protection (EOP) and Microsoft Defender for Office 365, and users into thinking the links were legitimate. 

This email attack bypassed native Microsoft email security controls. Microsoft assigned a Spam Confidence Level (SCL) of ‘1’ to the FedEx email and ‘-1’ to the DHL email, which meant that Microsoft did not determine these emails as suspicious and delivered them to end user mailboxes. 

A summary of techniques used, according to Armorblox.  

  • Social engineering: The email titles, sender names, and content did enough to mask their true intention and make victims think the emails were really from FedEx and DHL Express respectively. Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies. All our inboxes are overflowing, after all. 
  • Brand impersonation: In the FedEx attack, the final phishing page spoofs an Office 365 portal and is replete with Microsoft branding. Requiring Microsoft account credentials to view an invoice document also passes the ‘logic test’ in most victims’ minds, since they get documents, sheets, and presentations from colleagues every day that encompass the same workflow. The DHL Express attack payload uses Adobe for its impersonation attempt, with the same underlying logic. 
  • Hosted on Quip and Google Firebase: The FedEx attack flow has two pages, the first one hosted on Quip and the final phishing page hosted on Google Firebase; the inherent legitimacy of these domains enables the email to get past security filters built to block known bad links and files. Check out our recent threat research on another email attack that hosted the phishing page on Google Firebase if you’re interested to learn more.
  • Link redirects and downloads: The FedEx attack flow has two redirects, and the DHL attack includes an HTML attachment rather than a URL for its phishing goals. These modified attack flows obfuscate the true final phishing page, which is another common technique to fool security technologies that attempt to follow links to their destinations and check for fake login pages.   

Chris Hazelton, Director of Security Solutions at Lookout, says, “There are few brands like FedEx, DHL, and UPS that can quickly capture the attention of targets. With everyone stuck at home - many recipients are anticipating something they bought online being delivered to them. This includes business transactions where threat actors are mimicking delivery services to trick people into giving up credentials to their organization's cloud services."

The goal here is to get people to click what they think is a valid link and then present them with a fake login page that they will recognize, Hazelton notes.  "If the fake page is convincing enough, then many users will login without thinking about it. These are the risks of cloud services, while they are accessible from any browser, many users inherently trust login screens that they recognize. Another highly successful tactic is to send text messages instead of email - as many users don't think about phishing attacks on mobile, and so they're more likely to respond to a phishing text than email.”

Tom Pendergast, Chief Learning Officer at MediaPro, explains, “Armorblox does a good job of identifying the technical details of this phish, but the human side is the same old story: phishes preying on the trust that humans place in known brands. People trust brands the way they trust friends—and thus they tend to overlook some oddities in behavior that they’d never accept from a “stranger.” That’s why we have to be so diligent about not taking anything in our inbox or online at face value.”

Isabelle Dumont, Vice President of Market Engagement at Cowbell Cyber, suggests, “Businesses need to remain vigilant and double down on protection, especially employee security awareness training, which is an effective first line of defense against phishing scams. This is where cyber insurance has stepped in recently by bundling standalone cyber policies for financial protection with additional resources - risk assessment services and cyber training.”    

For the full Armorblox blog, please visit