publishing date icon
November 24, 2023
read time icon
5 min. read

Threat feed week 47: Black Friday, cash awards, donations, and impersonations, including Adobe, the US Treasury Department, Meta Support, Facebook Ads, Microsoft, and more

Post hero image

Table of contents

share this post

Black Friday order confirmation with a credential-harvesting form

“Message Received - Thank You "ORDER: USA-08814673"”

Hox rating: ★★★✩

Threat type: Advanced campaign

Payload: Malicious login form

Region: Global

Date: 20.11.2023

This email, with a Black Friday theme, contains a tricky fake sign-in form, aiming to deceive the receiver during this highly popular shopping week.

Black Friday order confirmation with a credential-harvesting form “Message Received - Thank You "ORDER: USA-08814673"”

Analyst: Sampo Lenkola

Adobe Acrobat impersonation

“e-Sign to procurement Monday, November 19, 2023 on 5:15:26 AM”

Hox rating: ★★★✩

Threat type: Advanced campaign

Payload: Malicious link

Region: Global

Date: 20.11.2023

In this phishing email, the attacker tries to get the recipient to open a document regarding their workplace. This is actually a link leading to a malicious credential-harvesting website.

Adobe Acrobat impersonation “e-Sign to procurement Monday, November 19, 2023 on 5:15:26 AM”

Analyst: Wivi Koenkytö

US Treasury Department cash award

“ATTENTION PLEASE!!!”

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Pretext

Region: Global

Date: 20.11.2023

This email claims that the recipient is awarded $10,350,000. According to the email, the recipient has to give their personal information and pay a $350 fee to claim their money.

US Treasury Department cash award “ATTENTION PLEASE!!!”

Analyst: Siiri L.

Quote request with a malicious PDF and a credential harvester

NEW CUSTOMER: QUOTATION REQUEST 11/17/2023

Hox rating: ★★✩✩

Threat type: Advanced campaign

Payload: Malicious attachment

Region: Global

Date: 20.11.2023

This email claims to come from a company wanting to do business with the recipient company.

Quote request with a malicious PDF and a credential harvester “NEW CUSTOMER: QUOTATION REQUEST 11/17/2023”

Attached to the email is a malicious PDF with a link leading to a credential harvester.

Quote request with a malicious PDF and a credential harvester “NEW CUSTOMER: QUOTATION REQUEST 11/17/2023”

Analyst: Siiri L.

Omniva post and logistics impersonation

“⚠️ Last notice: your order will be cancelled within 24 hours !653144”

“⚠️ Viimane märkus: teie tellimus tühistatakse 24 tunni jooksul !653144”

Hox rating: ★★✩✩

Threat type: Advanced campaign

Payload: Malicious link

Region: Estonia, Europe

Date: 20.11.2023

In this phishing email, the attacker claims that the recipient ordered a package and that they need to complete a payment to receive the package. The link to pay for the shipment is actually a link to a credential-harvesting website.

Omniva post and logistics impersonation “⚠️ Last notice: your order will be cancelled within 24 hours !653144” “⚠️ Viimane märkus: teie tellimus tühistatakse 24 tunni jooksul !653144”

Analyst: Wivi Koenkytö

Finnish police impersonation

police report 19.11.2023

poliisiraportti 19.11.2023

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Pretext

Region: Finland

Date: 20.11.2023

In this phishing email, the attacker tries to trigger a sense of panic in the recipient by impersonating the local police authority. The email contains a PDF file that's a lawsuit against the recipient for having, in this case, child pornography. The attacker tries to get the recipient to answer this message as soon as possible to get money from the recipient.

Finnish police impersonation “police report 19.11.2023” “poliisiraportti 19.11.2023”

Analyst: Wivi Koenkytö

You’ve received a donation

“Important message…..”

“Vigtig besked.....”

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Pretext

Region: Denmark

Date: 21.11.2023

“A donation of 2,500.000.00 euros has been presented to you by Mrs. Mavis Wanczy.”  

In this phishing email, the attacker impersonates a known lottery winner to get the recipient to think they were chosen to receive a large amount of money. In these types of emails, the attacker tries to get the recipient to answer their message and continue the conversation until the recipient gives their credentials, money, or whatever else the attacker wants.

You’ve received a donation “Important message…..” “Vigtig besked.....”

Analyst: Wivi Koenkytö

Meta Support impersonation

“Urgent: Notice of Violation of Community Standards on Your Facebook Profile”

Hox rating: ★★✩✩

Threat type: Advanced campaign

Payload: Malicious link

Region: Global

Date: 21.11.2023

In this phishing email, the attacker impersonates Meta, falsely claiming that the recipient’s account violated community standards.

Meta Support impersonation “Urgent: Notice of Violation of Community Standards on Your Facebook Profile”

The email urges the recipient to use a given link to access the Meta Help Center or Live Chat to resolve the issue.

Meta Support impersonation “Urgent: Notice of Violation of Community Standards on Your Facebook Profile”

However, this link is deceptive and leads to a malicious website designed to harvest personal information.

Meta Support impersonation “Urgent: Notice of Violation of Community Standards on Your Facebook Profile”

Analyst: Sampo Lenkola

Facebook Ads impersonation

“Urgent notice: Your ad account and site are limited”

“Kiireellinen huomautus: Mainostiliäsi ja sivustoasi on rajoitettu”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Finland

Date: 23.11.2023

“We regret to inform you that your Facebook page and advertising activities have been temporarily restricted due to violating the following community standards...”

In this phishing email, the attacker tries to get the recipient’s credentials by claiming they’ve violated Facebook’s community standards. The attacker triggers a sense of panic in the recipient by asking for an immediate response. The link to confirm or challenge the accusations is actually a link to a credential-harvesting website.

Facebook Ads impersonation “Urgent notice: Your ad account and site are limited” “Kiireellinen huomautus: Mainostiliäsi ja sivustoasi on rajoitettu”

Analyst: Wivi Koenkytö

Microsoft credential notification impersonation

“Reminder: Important Credential Notification 11/23/2023 6:29 AM”

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Global

Date: 23.11.2023

This campaign impersonates Microsoft, claiming they’ll terminate the recipient’s account password credentials. To avoid losing access, the recipient has to click the KEEP MY SAME PASSWORD button. The button then leads the recipient to a credential harvester.

Microsoft credential notification impersonation “Reminder: Important Credential Notification 11/23/2023 6:29 AM”

Analyst: Kaarlo Mahlberg

Keep up with the threat feed

Don’t miss the next threat feed, and subscribe to our newsletter for the latest feed and cybersecurity content. Stay informed and stay safe!

Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.