Threat feed week 42: PayPal, Outlook, Microsoft, DocuSign, McAfee, Santander, other impersonations, and Bitcoin extortion

PayPal impersonation

“Order Confirmation! Payment ID...”

Hox rating: ★★★✩

Threat type: Bulk phishing

Payload: Malicious phone number

Region: Europe

Date: 16.10.2023

This phishing email tries to get the recipient to call the malicious phone number by informing them about a fake order made by the recipient.

It’s impersonating PayPal and using the Norton logo for added legitimacy.

Analyst: Wivi Koenkytö

Outlook password expiration

“Açtion Required”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Europe

Date: 16.10.2023

This phishing email aims to get the recipient’s credentials by pushing them to press one of the malicious links. Both links lead to a malicious website.

It attempts to create urgency by impersonating Outlook and threatening to restrict access to the user’s email account.

Analyst: Wivi Koenkytö

Microsoft password expiration notification

“Password Update Required”

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Europe

Date: 16.10.2023

This phishing email aims to get the recipient’s credentials by providing a malicious link for the recipient to press the “Use Same Login Credentials” button.

The attacker creates a sense of rush by saying that user credentials will be lost within 48 hours.

Analyst: Wivi Koenkytö

Nets impersonation—payment solutions company

“EXTERNAL: New email from Nets.”

“EXTERN: Ny e-post fra Nets.”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Europe

Date: 16.10.2023

"We received a transaction request from your credit card with an IP address outside Denmark. For this reason, we have delayed debiting for 24 hours."

"Request a refund by clicking on the link below and following the instructions."

The attacker aims to get the recipient's credentials by telling that someone has used their credit card outside their country and that this amount can be refunded by pressing the malicious link.

Analyst: Wivi Koenkytö

PayLife impersonation—German credit card service

“RE:Important security update to your PayLife account!!”

“RE:Wichtiges Sicherheitsupdate für Ihr Paylife-Konto!!”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Europe

Date: 17.10.2023

This phishing email aims to get the recipient to click the malicious link leading to a malicious website.

The website is probably a credential harvesting site or another malicious site.

Analyst: Wivi Koenkytö

DocuSign QR code impersonation

“eFile_shared_with_you - 'Financial Statement#HcSas-4689/5558 // Billings'”

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Malicious QR code

Region: Global

Date: 18.10.2023

This email impersonates DocuSign, attempting to lure the recipient into scanning a malicious QR code.

This phishing tactic is part of an ongoing trend where QR codes are used for malicious purposes.

Analyst: Sampo Lenkola

Bitcoin sextortion

“There is an overdue payment under your name. Please, settle your debts ASAP.”

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Cryptocurrency ransom

Region: Europe

Date: 19.10.2023

This is an interesting example of a typical phishing email using sextortion to get money from the recipient. The attacker claims to have the recipient’s explicit material and demands the recipient to pay a sum of money to the attacker in Bitcoin, or the attacker will publish the material.

In these types of threats, the sender email is often spoofed to be the email address of the recipient.

Analyst: Wivi Koenkytö

Hetzner impersonation

“Urgent: Domain Suspension Notice - Action Required”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Europe

Date: 19.10.2023

This phishing email attempts to impersonate Hetzner. It informs the recipient that they’ve suspended their domain.

To renew their domain, the recipient is urged to click the ‘Register’ button.

Analyst: Jon Gellin

McAfee impersonation

“Final Warning: (12) Virus in your device”

“Letzte Warnung: (12) Virus in Ihrem Gerät”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Germany

Date: 20.10.2023

This phishing email is impersonating McAfee. The email claims that the recipient’s McAfee subscription has expired and offers a discount to renew their subscription.

The email also claims that the user has 12 viruses on their device.

Analyst: Kaarlo Mahlberg

Santander impersonation

“Avoid blocking!”

“Unngå blokkering!”

Hox rating: ★★✩✩

Threat type: Advanced campaign

Payload: Malicious link

Region: Nordics

Date: 20.10.2023

This phishing email is impersonating Santander. It claims the recipient’s credit card is blocked, and they must authenticate themselves online to continue using it.

The recipient is given a short deadline to act before permanently losing access to their credit card.

Analyst: Minna Herlevi

Keep up with the threat feed

Don’t miss the next threat feed, and subscribe to our newsletter for the latest feed and cybersecurity content. Stay informed and stay safe!