publishing date icon
December 22, 2023
read time icon
5 min. read

Threat feed week 51: Disney+, McAfee, Adobe Sign, and Paypal impersonations

Post hero image

Table of contents

share this post

Disney+ impersonation

“Payment method is not valid”

Hox rating: ★★✩✩

Threat type: Advanced campaign

Payload: Malicious link

Region: Denmark

Date: 15.12.2023

This email impersonates Disney+, claiming that there is a problem with the recipient's payment method. The email urges the recipient to solve the problem by logging in through a malicious hyperlink.

Disney+ Impersonation

Analyst: Siiri L.

McAfee impersonation

Hox rating: ★★✩✩

Threat type: Advanced campaign

Payload: Malicious link

Region: Europe

Date: 20.12.2023

"Your McAfee subscription expired today, leaving you more vulnerable to viruses and malware. We recommend you renew your subscription to protect your family from cyberattacks and surf safely."

McAfee impersonation

In this phishing email, the attacker tries to provoke a sense of hurry and concern in the recipient. The email claims the recipient's device is more vulnerable to cybersecurity threats due to the expiration of their McAfee subscription. The attacker encourages the recipient to renew their subscription by offering a 91% discount if they renew immediately. The link leads to a credential harvesting website.  

Analyst: Wivi Koenkytö

Microsoft impersonation

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Global

Date: 18.12.2023

This campaign impersonates Microsoft, claiming they’ll terminate the recipient’s account. To avoid losing access, the recipient has to click the 'Keep My Same Password' button. The button leads the recipient to a credential harvester.

Analyst: Kaarlo Mahlberg

Adobe Acrobat Sign impersonation

Hox rating: ★★✩✩

Threat type: Bulk phishing

Payload: Malicious link

Region: Global

Date: 14.12.2023

This email claims to come from Adobe, inviting the recipient to sign a document called "Investor Portal – Funds_Disbursement_Settlement_Insturctions". If the recipient clicks on the 'Review and sign' button, they are taken to a credential harvester.

Adobe Acrobat Sign credential harvester

Analyst: Siiri L.

PayPal impersonation

Hox rating: ★★★✩

Threat type: Bulk phishing

Payload: Malicious phone number

Region: Global

Date: 19.12.2023

In this phishing email, the attacker provokes a sense of confusion in the recipient by sending an unexpected expense from a legitimate service. The aim is to get the recipient to call the malicious phone number as no other contact information is given.

PayPal impersonation

Analyst: Wivi Koenkytö

S-Pankki impersonation

Hox rating: ★★★✩

Threat type: Advanced

Payload: Malicious link

Region: Finland

Date: 21.12.2023

"A new message is available in your S-Pankki mailbox."

S-Pankki impersonation

In this phishing email, the recipient is told that they have received a new message, which they can access by clicking the link. The link actually leads to a credential harvesting website with the aim of getting the recipient's credentials and possibly bank account information.

Analyst: Wivi Koenkytö

Tele2 impersonation

Hox rating: ★★★✩

Threat type: Advanced

Payload: Malicious link

Region: Nordics

Date: 15.12.2023

"We want to inform you that you have paid twice for this month."

In this phishing campaign, the attacker impersonates telecommunications company Tele2, claiming the recipient has paid their latest invoice twice. The recipient is told that they need to request a refund by clicking the link, which is leads to a malicious credential harvesting website.  

Analyst: Wivi Koenkytö

Suomi.fi impersonation

Hox rating: ★★✩✩

Threat type: Advanced

Payload: Malicious link

Region: Finland

Date: 20.12.2023

This email is impersonating Suomi.fi, a Finnish public authority web service. The email suggest that the recipient has a new message on Suomi.fi and they can read the message by clicking the link in the email.

Suomi.fi impersonation

The email leads the recipient to a website where malicious content is hosted.

Analyst: Kaarlo Mahlberg

QuickBooks impersonation

Hox rating: ★✩✩✩

Threat type: Bulk phishing

Payload: Malicious phone number

Region: Global

Date: 18.12.2023

This email impersonates QuickBooks. It attempts to create a scenario where the recipient ordered a Business Essentials Plan from QuickBooks.

Quickbooks impersonation

To cancel the fake order, the recipient has to call a malicious phone number.

Analyst: Kaarlo Mahlberg

Microsoft Teams impersonation

Hox rating: ★★★✩

Threat type: Advanced campaign

Payload: Malicious link

Region: Global

Date: 18.12.2023

This emails pretends to be an invite to an all-company Teams meeting, discussing—for example—"wages bonus" which might arouse curiosity.

Microsoft Teams impersonation

The email has details like 'Tim****' sending a message to Content Team as well as a timestamp of exactly 37 minutes to make it seem more legit.

Analyst: Siiri L.

Keep up with the threat feed

Don’t miss the next threat feed, and subscribe to our newsletter for the latest feed and cybersecurity content. Stay informed and stay safe!

Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.