publishing date icon
January 12, 2024
read time icon
5 min. read

Threat feed week 2: Google, Microsoft, Outlook, Teams, DHL, and PostNord impersonations

Post hero image

Table of contents

share this post

Microsoft and Google impersonation

“SECURITY ALERT! Your device needs cleaning!”

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Global

Date: 03.01.2024

In this strange phishing email, the attacker uses the brands of both Microsoft and Google to scam the recipient.

The recipient is told that their device needs to be cleaned due to detected suspicious activity and that they should remove the virus through the given link.

Actually, this link leads to a malicious, credential-harvesting website.

Microsoft and Google impersonation “SECURITY ALERT! Your device needs cleaning!”

Analyst: Wivi Koenkytö

NAV Norwegian Labor and Welfare Administration impersonation

“Refund of NOK 1229.00”

“Refusjon på NOK 1229.00”

Hox rating: ★★★✩

Threat type: Advanced campaign

Payload: Malicious link

Region: Norway

Date: 08.01.2024

“We hope this message finds you well. We have registered a refund of NOK 1229.00 in your favor.”

“Please go to the refund form by clicking here. Note: In order for the refund to be processed, it is important that we receive correct confirmation from you.”

In this advanced phishing campaign, the attacker claims that the recipient is allowed a refund of 1229.00 Norwegian Krone for unspecified reasons.

The website the link leads to asks for the user’s social security number, phone number, date of birth, password, and credit card information, in the name of NAV, which makes this an especially vicious threat.

NAV Norwegian Labor and Welfare Administration impersonation “Refund of NOK 1229.00” “Refusjon på NOK 1229.00”

Analyst: Wivi Koenkytö

PostNord impersonation

“Package delivery date!”

“Pakke på leveringsdatoen!”

Hox rating: ★★✩✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Nordic

Date: 08.01.2024

This phishing email is trying to impersonate PostNord.

he email claims that the recipient has to pay customs fees for the incoming package by clicking the link in the email.

The link then redirects the recipient to a fake PostNord page that asks the recipient to pay the customs fee.

PostNord impersonation“Package delivery date!” “Pakke på leveringsdatoen!”

Analyst: Kaarlo Mahlberg

Microsoft Outlook impersonation

“Your access is up for re-validation today”

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Global

Date: 08.01.2024

This campaign impersonates Microsoft, claiming they’ll terminate the recipient’s account.

To avoid losing access, the recipient has to click the ‘Keep My Same Password’ button.

The button then leads the recipient to a credential harvester.

Microsoft Outlook impersonation “Your access is up for re-validation today”

Analyst: Kaarlo Mahlberg

DHL impersonation

“Parcel status: The shipment is on its final journey”

“Paketstatus: Die Sendung auf dem letzten Weg”

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Central Europe

Date: 11.01.2024

“Great news: your order will be delivered shortly. Our delivery service strives to ensure efficient delivery. To track your shipment, follow our link.”

In this phishing email, the recipient is told that they can follow their order through the link given in the message.

The message is extremely poorly designed, considering that it impersonates DHL. But what makes this interesting is the fake DHL website the malicious link leads to and how detailed it is.

DHL impersonation “Parcel status: The shipment is on its final journey” “Paketstatus: Die Sendung auf dem letzten Weg”

Notice also how before the fake DHL website, there’s a fake CAPTCHA check that literally said, “Please complete the security check to access dhl.com” despite the link domain not being mentioned.

DHL impersonation “Parcel status: The shipment is on its final journey” “Paketstatus: Die Sendung auf dem letzten Weg”

Analyst: Wivi Koenkytö

Microsoft Teams impersonation

“New Teams Documents shared in Company Teams”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Global

Date: 11.01.2024

This email impersonates Microsoft Teams, notifying the recipient of new documents shared by MTeams.

The goal is to raise curiosity to get the recipient to click a malicious hyperlink embedded in the ‘View in Teams’ banner.

Microsoft Teams impersonation “New Teams Documents shared in Company Teams”

Analyst: Siiri L.

Keep up with the threat feed

Don’t miss the next threat feed, and subscribe to our newsletter for the latest feed and cybersecurity content. Stay informed and stay safe!

Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.