Fake Postal Service Note Infects Devices: How Employers Can Address Phishing Risks

Researchers at Cofense, a global cybersecurity company, have been tracking a new Trickbot phishing campaign that uses a common technique to trick victims into clicking on a link.

The messages claim to be from the U.S. Postal Service notifying the victim of a missed parcel delivery.

The message claims that no one was available to provide a signature and that the recipient will have to reschedule the delivery. The cybercriminals "helpfully" note that you can simply print out the linked shipping invoice and present it at a nearby post office to set up a new delivery time.

Those who fall for this trap and click the link are sent to a site with a .ZIP file that contains an infected Excel workbook. When opened, a popup notice attempts to coax users into turning off Excel's built-in defenses via the yellow Protected View bar. If the instructions are followed, a macro script is triggered downloads the real malicious payload, leading to a Trickbot infection.

Trickbot has been circulating since 2016. It began as a simple banking Trojan but has since evolved into fully modular malware that can provide remote access to infected systems, steal Active Directory credentials from enterprise environments, and distribute ransomware.

In 2020, a collaborative effort involving Microsoft's Digital Crimes Unit, law enforcement agencies, security, and hosting providers attempted to defeat Trickbot by taking 120 out of 128 of its servers offline. It was known at the time that keeping Trickbot suppressed would require an ongoing effort. Whether this new campaign is the last gasp at life, or the start of its resurgence remains to be seen. "Hackers Spoof Post Office Notices To Spread Notorious Trickbot Malware" www.forbes.com (Jan. 31, 2022).


The U.S. Postal Service has offered an online tool since 2017 to warn users of impending deliveries. “Informed Delivery,” a free service from the U.S. Postal Service, lets you see what will be in your mailbox that day. Each morning, the addressee will receive an email with actual size black and white images of the front side of the letters and cards to be delivered. If you get an image of a letter, but not the physical piece itself, Informed Delivery makes it easy to report that missing mail to the Postal Service. The image can help speed up the process of finding missing mail or warn you of actual deliveries.

During the pandemic, organizations had many employees working from home. Many were provided organization-issued devices, but others had to rely on their employees using their own laptops and computers, which left security holes. In fact, approximately 24 percent of firms in a Malwarebytes survey said they paid unexpected expenses to address a cybersecurity breach or malware attack following shelter-in-place orders, and many that thought they were on top of security were lacking some fundamentals like updated antivirus solutions.

Phishing emails remain the biggest threat factor. Encourage employees to take precautions on their personal devices because an infected home PC accessing an organization’s network could result in widespread infections. As with most threats, the single best way for remote workers to remain protected and keep from infecting the organization’s network is education and training. Keeping informed about ever-changing phishing techniques, such as the fake postal service notice, is key.

Finally, your opinion is important to us. Please complete the opinion survey:

Download Video: MP4 WebM