Top 5 things lurking behind forbidden phishing links

Post hero image

Table of contents

What are the top 5 things lurking behind forbidden phishing links? Find out here, where it's safe!

Don’t click the link! Beware of suspicious links in unexpected emails! Hover, don’t click! We've heard all the warnings but surely, one little click won’t hurt… just to see what happens… (cue the scary music). Today we’ll take a sneak peek at the top 5 things lurking behind forbidden phishing links, so your curiosity doesn’t get the best of you!

Credential harvesting

Phishing email attacks often include one or more malicious links. Clicking on them usually leads victims to a site disguised to look like an authentic login page of a commonly used service. Upon logging in, the victim unwittingly gives their user credentials to bad actors. These pages are called credential harvesters.

The pages are often well crafted, or even identical copies of their legitimate counterparts. Sometimes, password managers are even fooled to suggest auto filling the correct credentials for you.

1. Microsoft login pages

Let’s begin with perhaps the most common type of credential harvester found behind a phishing link: a Microsoft login page impersonation.

Credential-harvesting Microsoft login page

The email address field is usually pre-populated with the recipients’ address, leaving the victim only with the task of entering their password. Seeing that their email is already filled in, one might think that this is a familiar site they’ve already logged in to before. And let’s face it, we’re all a bit lazy, and when we must only enter a password instead of both our email address and password, we’re much more likely to comply.

An increasing number of these sites also employ something called a LogoKit, a tool which automatically fetches the company logo and login page background associated with the recipients’ email domain. This nasty tool makes these login pages almost impossible to visually distinguish from their legitimate counterparts.

When a password is entered, the sites usually inform that the password was incorrect, urging the user to fill it in again. This neat trick helps reduce the risk that a victim has entered their password incorrectly, and sometimes might even result in multiple passwords forfeited to the malicious actor.

Entering a password a second time usually redirects the user to the domain in their email address—if a address would be given, the victim would be redirected to The victim might then be left thinking that there has been an error in the link instead of alerting them, giving the attacker more time to use the credentials maliciously.

Some campaigns are even more sinister. Instead of redirecting the victim to a legitimate site, they initialize download of malware often disguised as a document. In this case not only do the attackers have access to the victims’ email account and all other services linked to it, but they might also get their malware on the device and from there spread it across the whole company network.

2. Postal services

This common type of credential harvester we're seeing might make someone want to go postal. This attack usually informs the victim about a package being shipped to them, sometimes even including a description of the contents, which may vary from pricy phones and laptops to other cool gadgets.

There's a catch however—usually the shipping costs have not been paid and credit card information must be entered to cover minuscule fees to receive the pricy new device.

Another attack angle commonly used in this theme is a missing shipping address. It must be filled, but only after authenticating ones’ identity using their business email and password. Pretty devious, right?

DHL impersonated landing page, credential harvester

3. Apple ID phishing attacks

This is a nasty one. The email asks the victim to verify their identity in order to not lose access to their Apple ID. Accompanied by solid graphics and pretty animations, the victim is lead from form to form.

Not only are the Apple ID credentials harvested, but the victim is requested to fill in their name, address, date of birth, phone number and credit card information. In the end a positive popup is shown about a successful restoration, and then the victim is again redirected to a legitimate site to lower the risk of alerting them.

Access to an Apple ID alone gives the attacker a lot of power, since those credentials can be used to access cloud storage, payment information, messages and much more. In addition, the personal and credit card information can be used to cause serious harm via identity theft.

4. Tax phishing attacks

Tax season is stressful enough as it is. We’re frightened enough by notices from tax authorities, but now we have to watch out for tax phishing attacks as well.

This is what was found lurking behind the links in a very large phishing campaign during last tax season. They ask for pretty much everything needed for a proper identity theft, but it doesn’t stop there. On the next page, they ask for driver’s license information and after that it finally sends the victim to the legitimate site of the UK government.

UK government tax phishing landing page

5. Dishonorable mentions

We’ve now showcased four common behind-the-links credential harvesting phishing attacks. But these are just the tip of the iceberg. The wide availability of phishing kits and related cybercrime-as-a-service tools enable easy setup of custom credential harvesters, which is encouraging new sites and campaigns to pop up daily. Being a cybercriminal is getting easier and easier.

Banks are a very common target, as are virtual conferencing tools and streaming services. You name it—they phish with it. Did you know compromised Netflix accounts sell for as low as $0.50 on the dark web?

Netflix, Zoom, and Dropbox impersonated credential harvesting landing pages

Wrap up

Enough with the fear mongering!  Here are a few tips on how to stay safe from these attacks.

  1. While credential harvesting sites become increasingly difficult to visually distinguish from their legitimate counterparts, one thing never changes - You should hover over links!
  2. By hovering with your cursor over the link, you reveal the URL. Should you have clicked a link, do not enter your credentials before examining the URL.
  3. In most cases, the URL will show something completely unrelated to the service it supposedly leads to, as the sites are hosted on whatever domains the attacker has got their hands on. That makes the fraud very easy to spot in the URL.
  4. If possible, log in to services by navigating to them directly through your web browser instead of clicking the links in an email. Notices, like new shared files, messages and requests are usually found within the service too.

It’s always good to be a bit suspicious!

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the phishing training that will protect your company from scams.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this