Check Point Email Security | Blog

Missed Delivery Messages as a Pretext for Phishing

Written by Jeremy Fuchs | January 20, 2022

The feeling is familiar: waiting for an important email, only to find that the message has been held up, either by a security solution or another reason.  

That issue can be due to many things: a spelling error in the email address; the email address doesn’t exist. It happens to all of us.

Phishers are taking advantage of this by utilizing misdelivery messages to send phishing messages. 

Starting in January 2022, Avanan observed a new wave of hackers sending convincing missed delivery messages that link to credential harvesting pages. In this attack brief, Avanan will analyze how undeliverable messages have become an attack vector for hackers. 

Attack

In this attack, hackers are sending undeliverable message notifications to send credential harvesting links. 

  • Vector: Email
  • Type: Credential Harvesting, Spoofing
  • Techniques: Impersonation, Phishing, Social Engineering
  • Target: Any end-user

 

Email

In this attack, hackers are sending “missed delivery” messages to end-users. The missed delivery messages show that multiple, important messages failed to deliver. When clicking on a link that looks like it will lead to the email itself, it instead goes to a credential harvesting page. 

Email Example #1

In this email, an undelivered mail notification is sent. When clicking on the links in the subject, instead of going to the email, it goes to a credential harvesting webpage. 

 

 

This email looks like a message from IT saying that some important messages haven’t been delivered. Instead of going to the actual email, it goes to a phishing page instead. 

Techniques

In this email attack, hackers found a way to take advantage of missed delivery messages to send phishing. When a message is missed delivered, IT staff will send a list of the emails, which can then be released. Clicking on the subject line should lead to the email itself. In this attack, the link goes to a credential harvesting page. 

Since the subject lines of the email use classic social engineering tactics such as urgency. Seeing a subject line of “invoice” or “Shipping document” will entice the user to click. 

This email failed SPF checks, and there was also an insignificant historical reputation with the sender. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Remind users of basic cybersecurity hygiene, including hovering over links to see what the intended destination is
  • Ask IT if the missed delivery message is legitimate
  • Deploy protection that doesn’t rely on static information,  but rather dynamic, AI-driven analysis