publishing date icon
December 8, 2023
read time icon
5 min. read

Threat feed week 49: eBay, Microsoft, SAP, McAfee, QuickBooks, and telecom impersonations

Post hero image

Table of contents

share this post

eBay impersonation

“Order Confirmation and Payment Receipt”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious phone number

Region: UK

Date: 02.12.2023

This email impersonates eBay, claiming they’ve shipped the recipient’s new iPad.

The goal is to have the recipient call the malicious phone number.

The ship-to address is Hotham House, a commercial building hosting the eBay UK headquarters.

eBay impersonation “Order Confirmation and Payment Receipt”

Analyst: Siiri L.

Fake Microsoft Mailbox Delivery Report

“Delivery message failed from company server...”

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Global

Date: 02.12.2023

In this phishing email, the recipient is tricked into believing that some of their incoming messages haven’t been delivered to their inbox.

The link to open the messages is actually a link leading to a credential-harvesting website.

Note how the greeting in the message uses the recipient’s email address’ prefix, ‘firstname.lastname’, to make the message feel more genuine.

In cases where the recipient’s email doesn’t include their whole name, this just looks strange, revealing that this is a phishing email.

Fake Microsoft Mailbox Delivery Report “Delivery message failed from company server...”

Analyst: Wivi Koenkytö

Telia telecom impersonation

“Re: Important information regarding a refund of subscription payment”

“Re: Viktig Iոfοrmatiοո aոgåеոdе Rеfusiοո af Abοոոеmеոtsbеtaliոg”

Hox rating: ★★★✩

Threat type: Advanced campaign

Payload: Malicious link

Region: Nordics

Date: 02.12.2023

In this phishing email, the attacker impersonates the telecommunications company Telia and claims that the company charged the recipient twice, which is why they’re entitled to a refund.

The attacker created a fake website to convince the recipient to give their credentials and credit card information to the attacker.

Telia telecom impersonation “Re: Important information regarding a refund of subscription payment” “Re: Viktig Iոfοrmatiοո aոgåеոdе Rеfusiοո af Abοոոеmеոtsbеtaliոg”

Analyst: Wivi Koenkytö

SAP admin impersonation

Aged Account

Hox rating: ★★★✩

Threat type: Advanced campaign

Payload: Malicious attachment

Region: Global

Date: 03.12.2023

This email claims to come from an SAP admin account, informing the recipient about an outstanding invoice.

Attached is a malicious HTML file that leads to a credential harvester.

SAP admin impersonation “Aged Account”

Analyst: Siiri L.

McAfee subscription update request

“Update billing”

“Päivitä laskutus”

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Finland

Date: 04.12.2023

“Please renew your subscription because you are no longer protected from cyberattacks and hacking. For your safety, we strongly recommend continuing your subscription. If you do not renew your membership, your account will be closed within 48 hours.”

In this phishing email, the recipient is convinced that their McAfee subscription has ended and that they should renew their subscription for their own safety.

The message has an assertive tone by saying things like ‘last warning’ or ‘we strongly recommend you continue your subscription’, which reveals that this may not be an actual message.

The link embedded in the message leads to a credential-harvesting website.

McAfee subscription update request “Update billing” “Päivitä laskutus”

Analyst: Wivi Koenkytö

QuickBooks impersonation

Heartfelt Thanks for Your Trust – Let's Make it Extraordinary!"

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Malicious phone number

Region: Global

Date: 04.12.2023

This email impersonates QuickBooks. It attempts to create a scenario where the recipient signed up for a Business Essentials Plan from QuickBooks.

To cancel the order, the recipient has to call a malicious phone number.

QuickBooks impersonation “Heartfelt Thanks for Your Trust – Let's Make it Extraordinary!"”

Analyst: Kaarlo Mahlberg

Keep up with the threat feed

Don’t miss the next threat feed, and subscribe to our newsletter for the latest feed and cybersecurity content. Stay informed and stay safe!

Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.