Threat feed week 46: Microsoft, QuickBooks, Outlook, Chase Bank impersonations, QR codes, and crypto phishing emails

Microsoft password expiration impersonation

“_INC084371 : Issue Assigned: (MS-3LE2-PJGR0X-LLT7) Access”

“Your account-password will expire today!”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Global

Date: 11.11.2023

This campaign impersonates Microsoft, claiming that the recipient’s account password expires in 24 hours and they’ll lose access.

To avoid losing access, the recipient has to click the malicious link and submit their login credentials.

Analyst: Siiri Latola

Blocked inbox error message

“Review Error Report (7 Blocked Emails)”

Hox rating: ★★✩✩

Threat type: Advanced campaign

Payload: Malicious link

Region: Global

Date: 13.11.2023

The email suggests there’s an issue with the recipient’s email inbox and attempts to lure the user into clicking a harmful link under the guise of checking their incoming blocked emails.

Analyst: Sampo Lenkola

HR time off request impersonation

“Time-Off Request Response”

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Global

Date: 13.11.2023

This email claims that an employee’s time off request for sick leave was approved.

A link leads to a credential harvester that asks for the recipient’s work email and password to authenticate the submission.

Analyst: Siiri Latola

Magyar Posta impersonation

“Szükséges művelet: A csomag nem kézbesíthető”

“Required action: The package cannot be delivered”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Hungary

Date: 13.11.2023

In this phishing email, the attacker aims at getting the recipient’s credentials by claiming that their package can't be delivered until the recipient completes a payment.

The links embedded in the email are malicious and lead to a credential-harvesting site.

Analyst: Wivi Koenkytö

Microsoft impersonation

“INCNUMDER40k3: /pIW45_Alert!!!”

“Your password expires today”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Europe

Date: 14.11.2023

In this phishing email, the attacker tries to get the recipient’s credentials by triggering a sense of hurry by claiming that their password has expired.

The link is actually malicious, leading to a credential harvester.

Analyst: Wivi Koenkytö

QuickBooks impersonation

“Success! Payment & Plan Confirmed”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious phone number

Region: Nordics

Date: 14.11.2023

In this phishing email, the attacker tries to get the recipient to call the malicious phone number by claiming that payment was completed under their name.

Analyst: Wivi Koenkytö

Outlook QR code impersonation

“Authentication Expire Notification Friday-November-2023 00:26 AM”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious QR code

Region: Europe

Date: 15.11.2023

In this phishing email, the attacker tries to get the recipient to scan the malicious QR code by provoking a sense of hurry and claiming that their account authentication expires today.

Analyst: Wivi Koenkytö

Chase Bank impersonation

“Urgent: Profile Information Verification Needed”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: North America

Date: 15.11.2023

In this phishing email, the attacker tries to get the recipient to click the malicious link that most likely leads to a credential-harvesting website.

Analyst: Wivi Koenkytö

Microsoft impersonation

“❗️Credentials Expire November 15 2023,”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Europe

Date: 16.11.2023

In this phishing email, the attacker tries to get the recipient’s credentials by claiming their credentials are expired.

The link in the email is malicious, leading to a credential-harvesting website.

Analyst: Wivi Koenkytö

ZkSync cryptocurrency impersonation

“ZkSync protocol Airdrop”

Hox rating: ★★★✩

Threat type: Advanced campaign

Payload: Malicious link

Region: Global

Date: 16.11.2023

The email is trying to impersonate zkSync, which is a cryptocurrency protocol.

In the email, they claim the recipients are eligible for a free zkSync token airdrop. By clicking the ‘Claim Rewards’ button, the recipients are redirected to a fake zkSync landing page.

On the fake page, they're trying to get people to connect their cryptocurrency wallet, hoping to get free tokens.

But when a wallet is connected to the service, malicious actors can then drain the wallet.

Analyst: Kaarlo Mahlberg

Microsoft impersonation

“New VM for”

“Your Caller just left you a Message”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Global

Date: 17.11.2023

This email is impersonating Microsoft. The email claims that the recipient has a new voice message.

The recipient is asked to click play to listen to the voice message. After clicking the voice message, the recipient is redirected to a malicious credential harvester.

Analyst: Kaarlo Mahlberg

Keep up with the threat feed

Don’t miss the next threat feed, and subscribe to our newsletter for the latest feed and cybersecurity content. Stay informed and stay safe!