publishing date icon
January 26, 2024
read time icon
5 min. read

Threat feed week 4: Adobe Acrobat, Microsoft, Outlook impersonations, and local credential harvesters

Post hero image

Table of contents

share this post

Adobe Acrobat Sign impersonation

“Request "Funds Disbursement Settlement Instructions"”

Hox rating: ★★✩✩
Threat type:
Bulk phishing
Payload
: Malicious link
Region:
Global
Date
: 25.01.2024

This email is impersonating Adobe Acrobat. The email is inviting the recipient to review and sign a document called "Investor Portal-Funds_Disbursement_Settlement_Instructions".

Adobe Acrobat Sign impersonation

When the recipient clicks the Review and sign button, it redirects the recipient to a credential harvester.

Analyst: Kaarlo Mahlberg

Microsoft impersonation: Password system reminder

“OneTimeConfirmation:Retain notification response needed today -Password -expiration -review”

Hox rating: ★★✩✩
Threat type:
Bulk phishing
Payload
: Malicious link
Region:
Global
Date
: 25.01.2024

In this large phishing campaign, the attacker uses fake Microsoft reminder banners to convince the recipient to give out their credentials.

Microsoft impersonation. Password system reminder

The button to 'Keep My Same Login Access' is actually a link to a credential harvesting website. Campaigns like this have been extremely prevalent in our data since the beginning of the year.

Analyst: Wivi Koenkytö

Outlook impersonation

“Action required”

Hox rating: ★★✩✩
Threat type:
Bulk phishing
Payload
: Malicious link
Region:
Global
Date
: 25.01.2024

This email impersonates Outlook, claiming that the recipient's password is expiring today. Urgency is used in an attempt to social engineer the recipient to click one of the links. It's good to note that neither one of the links is actually to change the password; just to keep the same one or skip changing it for six months.

Outlook impersonation: your password expires today

This email uses obfuscation of text in an attempt to bypass email filters. Special characters are used in keywords like 'action', 'password' and 'account'.

Analyst: Siiri L.

PostNord impersonation

“Der er en opdatering i din pakkeleveringsstatus!”

Hox rating: ★★★✩
Threat type:
Advanced campaign
Payload
: Malicious link
Region:
Nordics
Date
: 23.01.2024

In this advanced phishing campaign, the attacker aims to get the recipient's banking details by impersonating PostNord, a postal service mainly operating in the Nordics.

PostNord impersonation

Postal companies rarely send any emails—especially ones that repeat the body of the message twice, which makes this very suspicious.

Analyst: Wivi Koenkytö

BankID impersonation

“Sjekke integriteten til informasjonen din”

Hox rating: ★★★✩
Threat type:
Advanced campaign
Payload
: Malicious link
Region:
Nordics
Date
: 23.01.2024

"You will be asked to validate your information by following our instructions to avoid suspension of your online services. Without action on your part and in accordance with applicable law, we will be forced to suspend your online services."

BankID impersonation

In this phishing email, the attacker claims that the recipient's access to online services will be suspended if they do not confirm their information in the service. The link in the message leads to a credential harvester.  

Analyst: Wivi Koenkytö

QuickBooks impersonation

“Payment Approved: Your Plan is Now Confirmed!”

Hox rating: ★★✩✩
Threat type:
Bulk phishing
Payload
: Malicious phone number
Region:
North America
Date
: 18.01.2024

In this phishing email, the attacker impersonates accounting software QuickBooks to scam the recipient.  The invoice is unexpected, which is supposed to trigger the recipient to call the phone number.  

QuickBooks impersonation

In these sort of attacks, the goal of the attacker is often to get the recipient's banking details or install a remote software on the victim's device to conduct malicious activities.  

Analyst: Wivi Koenkytö

Keep up with the threat feed

Don’t miss the next threat feed, and subscribe to our newsletter for the latest feed and cybersecurity content. Stay informed and stay safe!

Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.