publishing date icon
February 2, 2024
read time icon
5 min. read

Threat feed week 5: Disney+, CXO, and HR impersonations, plus a fake invoice

Post hero image

Table of contents

share this post

Disney+ impersonation

“Dit abonnement er suspenderet”

Hox rating: ★★✩✩
Threat type:
Bulk phishing
Payload
: Malicious link
Region:
Global
Date
: 30.01.2024

This email is impersonating Disney+. It falsely claims impending subscription suspension due to billing errors and urges the recipient to give personal and credit card details to fix this.

Disney+ impersonation

Analyst: Sampo Lenkola

CXO impersonation

“Update!”

Hox rating: ★★★✩
Threat type:
Spear phishing
Payload
: Pretext
Region:
Global
Date
: 30.01.2024

This email impersonates a senior executive. It claims that they want to change their bank account information to trick HR into redirecting the next paycheck to the wrong bank account.

CXO impersonation

It is noteworthy that the sender field has been altered to make the recipient believe that the email is actually from their executive.

Analyst: Siiri L.

HR impersonation

“ATTENTION EMPLOYEES: 2024 Acceptance Of Gratuity Policy”

Hox rating: ★★★✩
Threat type:
Advanced
Payload
: Malicious link
Region:
Global
Date
: 30.01.2024

In this phishing email, the attacker impersonates the HR department of the recipient's company. The message looks very genuine and the language use is realistic, but the actual content is very suspicious.

HR impersonation

The link leads to a credential harvesting website, which reveals this to be a malicious email.

Analyst: Wivi Koenkytö

A fake invoice is due

“Payment statement from...”

Hox rating: ★★✩✩
Threat type:
Advanced
Payload
: Malicious phone number
Region:
Global
Date
: 29.01.2024

This email claims that the recipient has a due invoice, and a "customer support" number is repeated multiple times. The goal is to get the recipient, unaware of a subscription, to call the malicious number.

The malicious actors have tried to make the email seem more legitimate by utilizing Wave Apps. The 'View invoice' button leads to the legitimate WaveApps domain, where the invoice is again trying to urge the recipient to call the malicious number.

Analyst: Siiri L.

Keep up with the threat feed

Don’t miss the next threat feed, and subscribe to our newsletter for the latest feed and cybersecurity content. Stay informed and stay safe!

Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.