Every quarter, Check Point tracks the brands that were most frequently imitated by hackers.

Typically, Microsoft is at the top of this list. And, indeed, in the fourth quarter, it was second.

The first was a bit of a surprise–DHL.

Though DHL is an oft-imitated brand, what was surprising was the number of spoofs in the fourth quarter. In the third quarter, DHL accounted for 9% of all phishing emails. In the fourth quarter, it skyrocketed up to 23%.

Surely, a lot of this was because the fourth quarter takes place during the holiday season. 

Now, hackers are taking advantage of this by attaching malware to a DHL spoof.

Starting in January 2022, Avanan observed a new wave of hackers spoofing DHL and attaching potentially malicious files that link to credential harvesting pages and includes a dangerous Trojan virus. The attachment itself contains no malicious payload; rather, it redirects the web browser to a compromised web page.  This strategy often allows phishers to go undetected, due to the newness of the compromised webpage and the reactive nature of traditional anti-phishing defenses.


In this attack, hackers spoofed DHL delivery notifications to send potentially malicious files that redirect the end-user to a credential harvesting page and include a Trojan virus.

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Impersonation, Phishing, Credential Harvesting, Trojan
  • Target: Any end-user



In this attack, hackers are spoofing a delivery message from DHL. The email attaches a purported shipping document for an already-arrived shipment. Instead of going to that shipping document, a malicious file goes straight to a credential harvesting page. It also installs a Trojan virus, which is a malicious file that can take over the user’s computer. This attack has its origins in a spoofed FedEx attack observed by Check Point Research, which uses a spoofed email to send malware. In that case, the Snake Keylogger malware is used, which records keystrokes to steal credentials and other information. The DHL spoof attack discussed today varies in the malware used. Instead of a keylogger, this attack takes advantage of a Trojan virus that would take over the computer of the intended victim. 


Email Example #1

In this email, a missed delivery notification is sent, and the user is asked to see the attached shipping document, along with confirming their shipping address. 


This is a malicious javascript HTML link that redirects the end-user to a fake Office 365 login page. It will also install a Trojan virus on the end user's computer. 


In this email attack, hackers have impersonated the most-popular spoofed brand to send devastating credential harvesting attacks and deliver Trojan viruses. 

By spoofing a popular brand, the hackers are hoping to target vulnerable users who are accustomed to checking for shipping notifications. 

The attachment is indeed potentially malicious. In addition to reaching a credential harvesting page, it also includes a Trojan that would take over access to the computer.

In fact, an analysis from Check Point SandBlast, which guards against unknown malware, zero-day threats and other targets, shows high confidence and a critical risk in the attached Trojan file:


So, this attack would not only steal credentials–it could steal so much more, from critical data and information to stealing control of the computer itself to propagate more attacks on your network. 

DHL spoofs have happened before, and an Avanan report in December highlighted one of these spoofs. That attack also spoofed a DHL notification that led to a credential harvesting attack. What’s different about today’s attack is the addition of a malicious Trojan virus. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Remind end-users to be careful before clicking on files from shipping companies. Be sure to look at the sender’s address. In this case, it’s not a legitimate address
  • Before opening any files from shipping companies, be sure to check that you were expecting a package that day
  • Deploy protection that dynamically scans for known and unknown malicious threats

Subscribe to Our Attack Briefs for More Research