Phishing Campaign Impersonates DHL to Steal Credentials via Fake OTP Scheme
Researchers at Forcepoint’s X-Labs uncovered a sophisticated phishing campaign leveraging the DHL brand to harvest login credentials through an 11-step attack chain. The operation begins with a spoofed email bearing the subject line “DHL EXPRESS WAYBILL CONFIRMATION REQUIRED,” falsely prompting recipients to verify a shipment. While the display name appears as DHL EXPRESS, the sender domain cupelva.com reveals the deception, though the email bypasses some security filters by passing DKIM authentication for the attacker’s domain.
Victims who click the embedded link are directed to a fake parcel verification page hosted at perfectgoc.com, where a locally generated six-digit "OTP" is displayed via JavaScript. Unlike legitimate two-factor authentication, this step does not involve SMS or email delivery; instead, users are instructed to input the on-screen code, creating a false sense of security. A deliberate two-second delay mimics real processing, further enhancing the illusion. Forcepoint researchers emphasized that this tactic targeting individuals without geographic or organizational focus relies on psychological manipulation rather than technical complexity to lower victims’ defenses.
The attack employs URL-based identity injection to pre-fill the victim’s email address on a counterfeit DHL login portal, increasing perceived legitimacy. Once credentials are entered, the phishing kit exfiltrates additional telemetry data, including the user’s public IP, device type, OS, browser version, and geolocation (city/country). This data is temporarily stored in the browser’s local storage before being transmitted.
For data exfiltration, the attackers use EmailJS, a legitimate service that enables direct browser-to-email transfers, eliminating the need for dedicated command-and-control infrastructure. Stolen information is sent to the attacker-controlled mailbox [email protected]. Upon completion, victims are redirected to DHL’s authentic website, reducing suspicion by simulating a successful login.
Forcepoint noted the campaign’s effectiveness stems from its focus on social engineering over malware, with mitigation requiring the blocking of weaponized URLs and monitoring of the attacker’s mailbox.
Source: https://hackread.com/dhl-phishing-scam-attack-chain-steal-passwords/
DHL TPRM report: https://www.rankiteo.com/company/dhl
"id": "dhl1777415025",
"linkid": "dhl",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Individuals (no geographic or '
'organizational focus)',
'industry': 'Logistics',
'name': 'DHL',
'type': 'Logistics/Courier'}],
'attack_vector': 'Email',
'data_breach': {'data_exfiltration': 'Yes (via EmailJS to [email protected])',
'personally_identifiable_information': 'Email addresses, '
'geolocation, device '
'details',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information - PII)',
'type_of_data_compromised': 'Login credentials, telemetry '
'data (public IP, device type, '
'OS, browser version, '
'geolocation)'},
'description': 'Researchers at Forcepoint’s X-Labs uncovered a sophisticated '
'phishing campaign leveraging the DHL brand to harvest login '
'credentials through an 11-step attack chain. The operation '
"begins with a spoofed email bearing the subject line 'DHL "
"EXPRESS WAYBILL CONFIRMATION REQUIRED,' falsely prompting "
'recipients to verify a shipment. Victims who click the '
'embedded link are directed to a fake parcel verification page '
"where a locally generated six-digit 'OTP' is displayed via "
'JavaScript. The attack employs URL-based identity injection '
'to pre-fill the victim’s email address on a counterfeit DHL '
'login portal. Once credentials are entered, the phishing kit '
'exfiltrates additional telemetry data, including the user’s '
'public IP, device type, OS, browser version, and geolocation. '
'Stolen information is sent to the attacker-controlled mailbox '
'using EmailJS. Victims are then redirected to DHL’s authentic '
'website to reduce suspicion.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to DHL '
'due to brand impersonation',
'data_compromised': 'Login credentials, public IP, device type, '
'OS, browser version, geolocation '
'(city/country)',
'identity_theft_risk': 'High'},
'lessons_learned': 'The campaign’s effectiveness stems from social '
'engineering rather than technical complexity. Mitigation '
'requires blocking weaponized URLs and monitoring '
'attacker-controlled mailboxes.',
'motivation': 'Credential Harvesting',
'post_incident_analysis': {'corrective_actions': 'User education, URL '
'blocking, monitoring of '
'attacker-controlled '
'mailboxes',
'root_causes': 'Social engineering (fake OTP '
'scheme, brand impersonation, '
'psychological manipulation)'},
'recommendations': 'Block weaponized URLs, monitor attacker mailboxes, and '
'educate users on phishing tactics involving fake OTP '
'schemes.',
'references': [{'source': 'Forcepoint X-Labs'}],
'response': {'containment_measures': 'Blocking of weaponized URLs',
'remediation_measures': 'Monitoring of attacker’s mailbox '
'([email protected])',
'third_party_assistance': 'Forcepoint X-Labs'},
'title': 'Phishing Campaign Impersonates DHL to Steal Credentials via Fake '
'OTP Scheme',
'type': 'Phishing'}