It was the night before Christmas…

OK. That’s enough of that.

Has anyone noticed an increase in phishing emails from logistics companies recently?

As the last minute Christmas rush takes hold, many of us have probably attempted to get those last minute online orders in on-time.

Sadly I didn’t. I’ll be heading out at lunchtime to buy those last remaining gifts.

Finding out a package wasn’t delivered is frustrating at the best of times.

The stress of Christmas can amplify it.

DHL Phishing email

The urgency can cause even the best of us to lower our guard and open the attachment or follow the link of a time-sensitive email.

And as the familiar story goes; the mouse button clicks, the payload is executed.

Security awareness training helps educate staff of these risks, and is probably the most important part of a security strategy.

But phishing campaigns tap into a sense of urgency, from unpaid invoices to requests from “the CEO”.

The team at Microsoft highlight a good example in Emotet’s annual season’s greetings with email subjects and malicious attachment file names like “Party menu”, “Christmas party”, “Holiday schedule 2019-2020”.

This sense of urgency can quickly cause even the most well produced online training videos (anyone found any yet?) to be forgotten.

But lets take a look at how obvious these phishing emails actually are to the trained eye.

Using a real DHL phishing email I was gifted this holiday season, opening the extension (in a sandbox) I find the malware attached is reporting back to the domain:


I don’t want to let the target know I’m performing reconnaissance, so I’ll use passive reputation system modules in ThreatPipes to take a covert look.

ThreatPipes Malicious domain result


ThreatPipes Malicious IP result

ThreatPipes also uncovers that the domain resolves to an IP.


That IP has been reported as malicious to 5 of the modules that scanned it (TotalHash, AlienVault OTX, Fraudguard, MetaDefender, VirusTotal)

Time to block that IP.

But what else has ThreatPipes found?

ThreatPipes co-hosted site result

There are other sites hosted on the same IP… All of which are also hosting malicious content.


ThreatPipes phishing email scan overview

Oh, and some affiliate IPs reported as malicious probably belonging to the same group or lone bad actor.

Time to block those too.

ThreatPipes also found a couple of Dark Web mentions, an SSL Certificate mismatch on the domain, along with some strange headers, and Flash content thrown in for good measure.

By collecting everything we know about this threat, versus simply blocking the original malicious domain, I’m now better prepared for secondary attacks as those targeting me use other assets in their arsenal.

And that’s how Christmas was saved.

Happy holidays!

ThreatPipes Modules relevant to this post

  • AlienVault OTX: Obtain information from AlienVault Open Threat Exchange (OTX)
  • Fraudguard: Obtain threat information from
  • TotalHash: Check if a host/domain or IP is malicious according to
  • MetaDefender: Search MetaDefender API for IP address and domain IP reputation.
  • VirusTotal: Obtain information from VirusTotal about identified IP addresses.

Here are 100’s more…

David Greenwood

David Greenwood, ThreatPipes Team