FedEx and DHL Express have recently been subjected to large-scale phishing attacks, with a combined 10,000 victims targeted, in the favor of poaching the victims’ business email account credentials.

The threat actors integrated various methods like social engineering, brand impersonation, and link redirects. They also hosted phishing websites on Google Firebase and Quip to generate a sense of authenticity. Since the aforementioned domains are deemed exemplary, deceptive emails can evade cybersecurity defenses that may have been set up.

The attack course of FedEx phishing attacks is quite layered, so much so, that the authenticity can be considered. When a victim is sent the phishing email, it claims to contain scanned documents meant to be reviewed. After clicking the link, the victim is redirected to a file on Quip. Quip is an add-on for Salesforce that provides multiple platforms like slides, documents, and spreadsheets. The page then notifies the victim of FedEx documents and prompts them to “Click Here to Review Document.” 

When clicked, the victim is then routed to the final phishing stage that displays a page resembling a Microsoft login portal however, is hosted on Google Firebase. Tools like Quip and Google Firebase have free versions and are usually easy to use and implement. This gives bad actors and phishing perpetrators a rather low bar to deploy such legitimate-looking phishing emails.

The DHS Express phishing attacks unfold in a similar fashion. The phishing emails are sent to victims imitating DHS Express and are used to notify them that a parcel has arrived for them. Victims are then briefed that the parcel couldn’t be delivered due to incorrect delivery instructions and are fostered to download attached documents to verify the shipping details.

Accessing this downloaded attachment outlines certain spreadsheets which appear to be shipping documents. However, above that is a login incite imitating the Adobe brand. While it’s possible that the phishing perpetrators were seeking Adobe credentials, experts believe it also targets business email credentials since the login box is usually prefilled with the victims’ work email addresses. 

In both attacks, inputting pretend information on the phony login page returns an error, requesting authentic and legitimate information. This could imply a back-end tool to verify the accuracy of entered details, or the email perpetrators may be hoarding as much data as they can, and an error message will pop up regardless of the authenticity.