New DHL Phishing Scam Uses 11-Step Attack Chain to Steal Passwords

Summary

Forcepoint X-Labs discovered a sophisticated phishing campaign impersonating DHL Express that employs an 11-step attack chain to harvest user credentials and device telemetry. The scam uses a spoofed email, fake OTP verification page, and EmailJS to exfiltrate stolen data while maintaining victim trust. The campaign targets individuals broadly with no geographic concentration and demonstrates how attackers leverage legitimate services to reduce infrastructure complexity.

Full text

Security Phishing Scam Scams and FraudNew DHL Phishing Scam Uses 11-Step Attack Chain to Steal Passwords Forcepoint’s X-Labs reports an 11-step DHL phishing scam that uses fake OTP codes and EmailJS to harvest user credentials and device telemetry. byDeeba AhmedApril 28, 20262 minute read Researchers from Forcepoint’s X-Labs team recently found a phishing campaign designed to steal login credentials from users. In this campaign, what grabbed researchers’ attention was that the threat actors used the DHL brand name to trick users into revealing their passwords through an 11-step attack chain. The Email Lure The campaign begins with a spoofed email that appears to be from DHL Express with this subject line: “DHL EXPRESS WAYBILL CONFIRMATION REQUIRED,” asking the victim to confirm a waybill or shipment. According to researchers, there’s a huge giveaway of a scam as the display name is DHL EXPRESS, whereas the sender domain is cupelva.com. This means the email passed DKIM authentication for the attacker’s domain, which helps it bypass some security filters. Upon clicking the link, the victim is sent to a fake parcel OTP page at perfectgoc.com. This page shows a fake verification step that displays a six-digit number generated locally by JavaScript. Researchers noted that this isn’t a real security check because the system doesn’t send an SMS or email, and instead, asks the user to type in the number appearing on their screen to generate a false sense of trust. This page also includes a two-second delay to mimic real data processing. “The campaign targets individuals rather than specific organizations and shows no geographic concentration. What makes it worth examining is the OTP mechanic: a trust-building layer with no real authentication behind it, engineered entirely to lower the victim’s guard before the actual theft begins,” Forecepoint researchers explained in the blog post, shared with Hackread.com. Data Theft Methods The scammers use URL-based identity injection to carry the victim’s email address from the email to the final login page. This step ensures the fake DHL login portal is already filled with the user’s email, making it look more legitimate. This is the stage where the user’s password is stolen. The phishing kit now proceeds to steal the device’s telemetry data, including the public IP address, device type, operating system, browser version, and even finds the user’s city and country via geolocation scan. All of this data is stored in the local storage of the browser before it is moved off the device. Fake shipment notice, the fake OTP page, and the credential-stealing page (Source: Forcepoint) Data Exfiltration As per X-Labs’ research, a tool called EmailJS is used to move the stolen data. This is a legitimate service that allows the phishing kit to send emails directly from the browser to the attackers. This method reduces the need for hackers to maintain their own complex servers. Researchers also observed that the stolen data was sent to a specific mailbox- [email protected]. When the attack is complete, the kit redirects the victim to the actual DHL website to prevent them from becoming suspicious. By landing on the real site, they might assume their login was successful. Researchers noted that this lightweight kit is effective because it focuses on user trust rather than complex malware, and protection from this threat involves blocking the weaponised URLs and being mindful of the specific attacker mailbox used in the campaign. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityDHLForcepointFraudPasswordPhishingScam Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Malware ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks Cofense Intelligence's May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat. byDeeba Ahmed Security Here’s why ThePirateBay.org is down It’s been a while now since the BitTorrent giant The Pirate Bay is offline worldwide while only thing… byWaqas News Malware Security Social Media New Campaign Uses Facebook Messenger to Distribute Malware A security researcher David Jacoby has revealed that Facebook Messenger is now being used to spread malware. Reportedly,… byWaqas Hacking News Malware Security Computer Systems at Carleton University Shut Down due to Ransomware Carleton University (Canada, Ottawa, Ontario) students must keep their computers and Wi-Fi routers off because some of the… byUzair Amir

Indicators of Compromise

• domain — cupelva.com
• domain — perfectgoc.com
• email — notification@cupelva.com

Entities