publishing date icon
April 21, 2023
read time icon
5 min. read

Threat feed week 16: Meta, SAP, and impersonations, and eFax bulk phishing campaign

Author image
Threat Analyst Team
Post hero image

Table of contents

share this post

Meta Impersonation Email

Hox rating: ★★★✩

Threat type: Advanced campaign

Region: Global

Analyst: Reetta Sainio

Date: 20.4.2023

This phishing email was sent in the name of Meta Platforms Inc. It targets businesses by claiming their accounts violate intellectual property rights, resulting in temporary restrictions.

Victims are redirected to an alarmingly authentic-looking site ‘’, where they unknowingly give sensitive information in an attempt to resolve the issue.

The attack exploits users’ trust in platform policies, making it especially dangerous and effective.

eFax Phishing Campaign

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Region: Global

Analyst: Jon Gellin

Date: 20.4.2023

This phishing message, disguised as an eFax notification, informs the recipient of a document sent to them. The email contains a call to action, urging the user to click a provided link to view the document.

The malicious actors have included a fake email banner for added legitimacy, claiming the email sender is verified.

Upon clicking the link, the user is sent to a malicious website designed to harvest sensitive information, such as login credentials.

SAP Impersonation

Hox rating: ★★✩✩

Threat type: Advanced campaign

Region: Global

Analyst: Minna Herlevi

Date: 21.4.2023

This phishing email is attempting to impersonate SAP using domain spoofing. But the malicious actors mistakenly spoofed the sender domain to DocuSign, so it's quite easy to spot.

The payload itself uses an open redirect to make the link look like it's going to YouTube, but in reality, it leads to a credential harvester at a completely different URL.

SAP Impersonation Impersonation

Hox rating: ★★✩✩

Threat type: Advanced campaign

Region: Global

Analyst: Suvi Hakala

Date: 21.4.2023

This phishing email attempts to impersonate the online travel agency with a flash attack using a newly registered lookalike domain. The email claims the recipient received a travel credit reward expiring shortly and asks them to claim it by clicking the provided link.

The link redirects the user to a malicious site for harvesting personal information and banking credentials. The theme of this phishing campaign is timely with upcoming summer vacations.

Keep up with the threat feed

Don't miss the next threat feed, and subscribe to our newsletter for the latest feed and cybersecurity content. Stay informed and stay safe!

Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.