publishing date icon
December 1, 2023
read time icon
5 min. read

Threat feed week 48: Netflix, DocuSign, Microsoft Planner, QuickBooks, McAfee, Polygon, Avalanche, Danske Bank, plus other postal, banking, and crypto phishes

Post hero image

Table of contents

share this post

DocuSign impersonation

“Action Required: Document Completed Friday November, 24, 2023”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Global

Date: 25.11.2023

This phishing email is impersonating DocuSign. The email claims that the recipient has a completed document available.

When the recipient clicks the VIEW COMPLETED DOCUMENT button, it leads the recipient to a credential harvester.

DocuSign impersonation“Action Required: Document Completed Friday November, 24, 2023”

Analyst: Kaarlo Mahlberg

DPD delivery fee impersonation

“Important notice: Problem with your shipping address”

“Wichtige Mitteilung: Problem mit Ihrer Lieferadresse”

Hox rating: ★★★✩

Threat type: Advanced campaign

Payload: Malicious link

Region: Germany

Date: 25.11.2023

“Please follow this link to complete your address details and pay the necessary delivery fees. This is a crucial step to ensure your package arrives without delays.”

In this phishing email, the attacker tries to get the recipient’s credentials by impersonating a postal service. The link to pay the delivery fees is actually a link to a malicious credential-harvesting website.

DPD delivery fee impersonation “Important notice: Problem with your shipping address”“Wichtige Mitteilung: Problem mit Ihrer Lieferadresse”

Analyst: Wivi Koenkytö

Netflix payment impersonation

“Notice: Sorry, we must temporarily suspend your membership.”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Global

Date: 27.11.2023

This email is impersonating Netflix. The email says there was a problem with the recipient’s payment processing.

It then says that the recipient can resolve the issue quickly by clicking the link in the mail. The link then redirects the recipient to a credential harvester.

Netflix payment impersonation “Notice: Sorry, we must temporarily suspend your membership.”

Analyst: Kaarlo Mahlberg

Microsoft Planner notification impersonation

[YOUR COMPANY] has assigned you to a team

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Europe

Date: 27.11.2023

In this phishing email, the attacker tries to get the recipient to open a malicious link by impersonating a very convincing Microsoft Planner notification.

The link actually leads to a credential-harvesting website.

Microsoft Planner notification impersonation “[YOUR COMPANY] has assigned you to a team”

Analyst: Wivi Koenkytö

QuickBooks subscription impersonation

“"Thrilled that You Chose Us - Thanks a Million for Your Trust - Your Satisfaction is Our Priority!"”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious phone number

Region: Global

Date: 29.11.2023

This email pretends to come from QuickBooks, telling the recipient that their subscription was successfully renewed.

The goal is to have the recipient call the malicious phone number.

QuickBooks subscription impersonation “"Thrilled that You Chose Us - Thanks a Million for Your Trust - Your Satisfaction is Our Priority!"”

Analyst: Siiri Latola

McAfee subscription renewal scam

Your Membership Renewal Details

Hox rating: ★★✩✩

Threat type: Advanced campaign

Payload: Malicious phone number

Region: Europe

Date: 30.11.2023

In this phishing email, the attacker attempts to get the recipient to call the malicious number in the message by informing them about their successful McAfee subscription renewal, which the recipient hasn’t actually done.

As the recipient isn’t given any other contact information in the message, it creates pressure for the recipient to call the phone number.

McAfee subscription renewal scam “Your Membership Renewal Details”

Analyst: Wivi Koenkytö

Danske Bank notification impersonation

“✅ You have (1) important message..... ”

“✅ Sinulla on (1) tärkeä viesti..... ”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Finland

Date: 30.11.2023

This email claims to come from Danske Bank, informing the recipient that they have a new message in their encrypted mailbox and can access the message via the hyperlink provided.

Danske Bank notification impersonation“✅ You have (1) important message..... ” “✅ Sinulla on (1) tärkeä viesti..... ”

Analyst: Siiri Latola

Invoice payment overdue

“Reminder - Invoice Payment Due 80 Days Ago”

Hox rating: ★★✩✩

Threat type: Advanced campaign

Payload: Malicious attachment

Region: Global

Date: 30.11.2023

This email pretends to inform the recipient about an overdue payment, claiming that there’s more information in the attached PDF.

The PDF looks like a banner saying something went wrong, and the Refresh button is a link to a malicious website.

Invoice payment overdue“Reminder - Invoice Payment Due 80 Days Ago”

Analyst: Siiri Latola

BankID impersonation

“We need some information. (Ref : KL-P-41657446265499)”

“Vi trenger litt informasjon. (Ref : KL-P-41657446265499)”

Hox rating: ★★✩✩

Threat type: Advanced campaign

Payload: Malicious link

Region: Nordics

Date: 30.11.2023

“We regret to inform you that you can't access all your Bankid benefits, such as Send money and purchases, due to account restrictions

You must check your account details on our secure server via the link below.

And follow all the steps”

In this phishing email, the attacker informs the recipient that they can't access their BankID benefits due to account restrictions.

The attacker aims to get the recipient to click the malicious link, which is actually a credential harvesting site.

BankID impersonation “We need some information. (Ref : KL-P-41657446265499)” “Vi trenger litt informasjon. (Ref : KL-P-41657446265499)”

Analyst: Wivi Koenkytö

Polygon crypto prize impersonation

“Congratulations! You've Won $800! Claim Your Prize Now.”

Hox rating: ★★★✩

Threat type: Advanced campaign

Payload: Malicious link and QR code

Region: Europe

Date: 01.12.2023

This email claims the recipient has won $800 in MATIC crypto for being a member of the Polygon community.

The link leads to a fake website impersonating Avalanche and claiming to give away $400,000 in $AVAX if they connect their wallet.

Note that the email and website are impersonating two different and unrelated companies. Most likely, it's an error on the sender’s part.

Eventually, the recipient is asked to scan a QR code to enter their wallet details.

Polygon crypto prize impersonation “Congratulations! You've Won $800! Claim Your Prize Now.”

Analyst: Siiri Latola

Keep up with the threat feed

Don’t miss the next threat feed, and subscribe to our newsletter for the latest feed and cybersecurity content. Stay informed and stay safe!

Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.