Microsoft QR code phishing email
Hox rating: ★★✩✩
Threat type: Advanced campaign
Payload: Malicious QR code and malicious link
Region: Global
Analyst: Suvi Hakala
Date: 01.08.2023
This phishing email pretends to be from Microsoft and uses a QR code to deliver the payload. The message claims the recipient’s password is expired, and they must enable MFA by scanning the QR code.
Unlike most previous QR phishes, this attack also includes a malicious link. The link uses target recognition to redirect unintended users to a legitimate Microsoft login page.
Microsoft impersonation
Hox rating: ★✩✩✩
Threat type: Bulk phishing
Payload: Malicious link
Region: Global
Analyst: Minna Herlevi
Date: 04.08.2023
This phishing email is informing the user that their mailbox is almost full. The malicious actor is trying to leverage urgency to get people to click the link to avoid disruption to their email service, which could result in missing emails.
OneDrive impersonation
Hox rating: ★✩✩✩
Threat type: Bulk phishing
Payload: Malicious link
Region: Global
Analyst: Minna Herlevi
Date: 04.08.2023
This phishing email is impersonating OneDrive. The email claims that you have received a new document through the service, and that you must click the link to access it.
American Express impersonation
Hox rating: ★★✩✩
Threat type: Bulk phishing
Payload: Malicious phone number
Region: Europe
Analyst: Julia Kylmälä
Date: 04.08.2023
The email looks like a payment receipt from American Express.
The email contains a phone number as the only line of communication, and the attacker relies on the recipient to call the number to cancel the unrecognized payment. Calling the number would most likely result in a huge phone bill.
LinkedIn business fake transaction notification
Hox rating: ★✩✩✩
Threat type: Bulk phishing
Payload: Malicious link
Region: Global
Analyst: Reetta Sainio
Date: 04.08.2023
This phishing email disguises itself as a transaction receipt, using a LinkedIn “slink” to redirect recipients to a deceptive Office website to harvest their credentials.
The “slink” can only be used if you have a LinkedIn business account. In this attack, the attacker took advantage of a hijacked LinkedIn account or created a new one to propagate the malicious link.
Keep up with the threat feed
Don't miss the next threat feed, and subscribe to our newsletter for the latest feed and cybersecurity content. These are selected from the latest phishing attacks reported by the global Hoxhunt human threat detection network. Stay informed and stay safe!