A new report from researchers from Armorblox Inc. details a new spin on a credential-phishing attack that uses an old favorite — fake shipping correspondence from DHL — to breach Microsoft 365 and Exchange Online Protection.

The phishing campaign targeted more than 10,000 inboxes at a private education institution and used social engineering and brand impersonation to replicate existing business workflows, with a malicious attachment thrown in for good measure.

The emails targeting the institution were titled “DHL Shipping Document/Invoice Receipt” to encourage victims to open the email in a timely fashion. At first glance, the email appears legitimate, complete with a response email that includes DHL. The body of the email includes DHL branding and informs recipients about a parcel sent by a customer that needs to be rerouted to the correct delivery address.

The body of the email has one call to action: to view an attached document to confirm the destination address of the parcel shipment. The attachment, named “Shipping Document Invoice Receipt,” further instills trust in the unsuspecting victim.

Not surprisingly, the attachment is not what it seems. Upon opening the document, viewers are provided a blurred-out preview of the attachment’s content – a Microsoft Excel file. To access the document, viewers are then prompted to provide their Microsoft login credentials, being tricked into believing that they must do so to view the file. Then their usernames and passwords are sent directly to the attacker.

“The email attack used language as the main attack vector in order to bypass both Microsoft Office 365 and EOP email security controls,” the researchers explain. “These native email security layers are able to block mass spam and phishing campaigns and known malware and bad URLs. However, this targeted email attack bypassed Microsoft email security because it did not include any bad URLs or links and included an HTML file that included a malicious phishing form.”

By using a valid domain, the emails bypassed all of Microsoft’s email authentication checks.

The researchers advise that native email security, such as that offered by Microsoft, should be augmented for better protection against email attacks. Training staff to look for fake messages such as these is also mentioned as another method to protect against phishing campaigns. In addition, multifactor authentication and password management best practices should be deployed to reduce the risk of attackers gaining access to accounts.

Photo: Raimond Spekking/Wikimedia Commons