SOC Prime Bias: Medium

30 Apr 2026 17:30
newspaper icon Forcepoint

Inside a Fake DHL Campaign Built To Steal Credentials

Author Photo
SOC Prime Team linkedin icon Follow
Inside a Fake DHL Campaign Built To Steal Credentials
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

A phishing campaign masquerading as DHL is designed to steal user credentials. The attack chain uses a fake one-time password page and a branded login portal, then exfiltrates the captured data through EmailJS. After the credentials are stolen, victims are redirected to the legitimate DHL website to reduce suspicion. The operation appears to target consumers worldwide while relying on relatively lightweight infrastructure.

Investigation

Forcepoint X-Labs examined the phishing email, the malicious links, and the JavaScript responsible for generating a client-side OTP. Their analysis showed that the phishing kit gathered device and geolocation details before transmitting the collected information to an attacker-controlled mailbox through EmailJS. Researchers were able to reproduce the full attack flow in a sandbox environment.

Mitigation

Organizations should block suspicious sender domains and watch for DKIM alignment mismatches that may indicate spoofing. Security teams should also filter or block URLs resolving to the identified malicious domains. Monitoring for unexpected EmailJS activity with unusual payloads can help surface credential theft attempts, while enforcing MFA on DHL-related accounts adds another layer of protection.

Response

Defenders should notify targeted users about the phishing campaign and require password resets for any compromised accounts. The malicious email should be quarantined, and the related domains should be blocked at the email and web gateway layers. Detection rules should also be updated to identify the observed URL patterns and the EmailJS-based exfiltration method.

"graph TB %% Class Definitions classDef action fill:#99ccff classDef technique fill:#ffcc99 %% Nodes phishing_email["<b>Action</b> – <b>T1566 Phishing</b><br/><b>Description</b>: Send malicious emails that appear legitimate to lure victims.<br/><b>Subu2011technique</b>: Email Spoofing (T1672)"] class phishing_email action fake_otp_page["<b>Action</b> – <b>T1656 Impersonation</b> and <b>T1001.003 Protocol Impersonation</b><br/><b>Description</b>: Host a counterfeit oneu2011timeu2011password page that mimics the target service."] class fake_otp_page action gather_email["<b>Technique</b> – <b>T1589 Gather Victim Identity Information</b><br/><b>Description</b>: Capture the victimu2019s email address from the counterfeit page."] class gather_email technique browser_discovery["<b>Technique</b> – <b>T1217 Browser Information Discovery</b> and <b>T1596.005 Search Open Technical Databases</b><br/><b>Description</b>: Enumerate browser, device and OS details from the victimu2019s environment."] class browser_discovery technique credential_harvest["<b>Action</b> – <b>T1056.003 Web Portal Capture</b><br/><b>Description</b>: Redirect the victim to a credentialu2011harvesting web portal."] class credential_harvest action exfil_emailjs["<b>Technique</b> – <b>T1114 Email Collection</b> and <b>T1102.002 Web Service Bidirectional Communication</b><br/><b>Description</b>: Use EmailJS to exfiltrate harvested credentials and session data."] class exfil_emailjs technique legit_redirect["<b>Action</b> – Redirect victim to the legitimate DHL site after data exfiltration."] class legit_redirect action %% Connections phishing_email –>|leads_to| fake_otp_page fake_otp_page –>|collects| gather_email fake_otp_page –>|collects| browser_discovery gather_email –>|provides| credential_harvest browser_discovery –>|provides| credential_harvest credential_harvest –>|exfiltrates| exfil_emailjs exfil_emailjs –>|final_redirect| legit_redirect "

Attack Flow

## Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:

    The adversary, aiming to harvest DHL credentials, spoofs the cupelva.com domain (a known look‑alike) and crafts an email with the exact subject line used in recent campaigns. By sending this email through a compromised external SMTP server, the message reaches the Exchange inboxes, producing transport logs that match the rule’s criteria.

  • Regression Test Script:

    
# Simulated phishing email – should trigger the detection rule
$smtpServer = "smtp.malicious-host.com"   # external compromised server
$msg = @{
    From = "dhl@cupelva.com"
    To   = "victim@contoso.com"
    Subject = "DHL EXPRESS WAYBILL CONFIRMATION REQUIRED"
    Body = @"
Dear Customer,

A waybill for your recent shipment requires confirmation. Please click the link below to verify your details:

https://malicious.example.com/verify

Regards, DHL Express “@ SmtpServer = $smtpServer } Send-MailMessage @msg


- **Cleanup Commands:**  

  ```powershell
  # Remove the test email from the victim's mailbox (Exchange PowerShell)
  Import-Module ExchangeOnlineManagement
  Connect-ExchangeOnline -UserPrincipalName admin@contoso.com
  Search-Mailbox -Identity "victim@contoso.com" -SearchQuery 'Subject:"DHL EXPRESS WAYBILL CONFIRMATION REQUIRED"' -DeleteContent
  Disconnect-ExchangeOnline -Confirm:$false

## Evasion Assessment & Hardening Recommendations

Potential Evasion Technique Likelihood Impact on Rule Mitigation
Alter subject line (e.g., add whitespace, change case) High Rule misses the event Use case‑insensitive regex and fuzzy keyword matching (subject|contains|regex: "DHLs+EXPRESS.*WAYBILL.*REQUIRED").
Use a different spoofed domain (e.g., dhl-express.co) High Rule misses the event Incorporate DKIM/SPF failure detection and look for known brand‑related keywords regardless of sender domain.
Embed malicious link but keep subject unchanged Medium Rule still fires (good) Add URL reputation check to increase confidence.
Send as attachment (T1192) rather than in body Low Rule unaffected (subject still matches) Extend rule to inspect attachment metadata (file names, MIME types).

Recommendations

  1. Broaden Sender Evaluation: Instead of a single hard‑coded domain, flag any email that fails SPF/DKIM alignment for the “dhl.com” brand and contains DHL‑related keywords.
  2. Fuzzy Subject Matching: Replace exact string match with a regex that captures variations, case differences, and common obfuscations.
  3. Enrich with URL Reputation: Parse message body for URLs; flag if any link resolves to a known malicious host or uses URL‑shorteners.
  4. Add Attachment Heuristics: When the rule tags attack.t1192, incorporate checks for double‑extension files or scripts commonly used in DHL‑related phishing.

Implementing these hardening steps will raise the resilience score toward 4–5, reducing the risk of simple evasion while maintaining a low false‑positive rate.

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free