You Have Unpaid Package – Canada Post

This Canada Post phish even includes a few links to real Canada Post websites at canadapost.ca canadapost-postescanada.ca to try and make the email look legitimate. However, the “Pay Here” link that you’re directed to click on is the one link in the email that does not go to a legitimate site. It actually goes to a completely different site with a phish form that imitates Canada Post branding and aims to trick you into providing your personal information.

It’s worth noting that the sender was very cleverly crafted to look like it could be a Canada Post email address. But in reality, post[.]ca (to be safe, don’t go to that site) doesn’t actually belong to Canada Post.

IT Support – Account Update

Hovering over the link reveals that it actually goes to a web page on wixsite.com, which is associated with a free website builder. No legitimate UVic or Microsoft login page would be hosted on a free website or form builder, so that’s a clear sign that this is a phish.

Uvic benefits eligibility policy

Sending phishing emails that look like HR notices about benefits is a very popular tactic among phishers. Instead of trying to get you to click on a link, this phish tries to get you to open an attachment. The attachment is actually a webpage (HTML file) that will then ask you to enter your Microsoft account credentials because you are trying to view sensitive information.

Always be wary of attachments that come from unsolicited emails. If you are prompted for Netlink or Microsoft account credentials upon opening an attachment, contact your department’s IT support contact or the Computer Help Desk immediately, as that is a sign the attachment is phishy.

_Password /Expired

If you hover over the link in this phish, you will see it does not go to uvic.ca but instead goes to a sendgrid.net address. SendGrid is a legitimate emailing platform and its links might be expected in things like newsletters and other email subscriptions. But phishers like to abuse it for their own nefarious purposes too, so if you see a SendGrid link in an email directing you to click and login or do something about your password, that is usually a sign of a phish.

You have pending incoming messages.

We see a  novel idea in the phish area today. This time they are trying to persuade you that MS Defender prevented delivery of email messages.
The sender is clearly external. The link to “review messages” is also external,
you can see it by hovering over it with the mouse cursor, without clicking.

Please do not click on such links out of curiosity, they may contain malware to infect your machine instantaneously. Our experts open those in a dedicated isolated environment.
The fake login page is pretty much like our regular Outlook Web Access page (aka OWA).

Final Important Notice !!

This phish claims roundcube mail was to be upgraded and asks you to click on a link that has nothing to do with UVic.  The sender is clearly external and if you hover over the link with the mouse cursor you will notice it is external too. Please do not click on such links out of curiosity, they may contain malware to infect your machine instantaneously. Our experts open those in a dedicated isolated environment.
The fake login page is shown at the bottom.

 

——————————————————————————–

Apparently the same actors sent the same link in a different phish, which has a different subject line but the same text in the body of the message. It looks like this:
———————————————

Below is the fake login page:

COVID-19 benefits phishes… again

As usual, criminals will take advantage of current events to try to trick people into clicking and submitting credentials. This phishing email appears more legit than most due to use of a compromised .edu account and clear, proper English. The login page was not very tricky or splashy, with clear red flags such as an unusual website domain and the password field is not obfuscated with ***.