A clever UPS phishing campaign utilized an XSS vulnerability in UPS.com to push fake and malicious ‘Invoice’ Word documents.
The phishing scam was first discovered by security research Daniel Gallagher and pretended to be an email from UPS stating that a package had an “exception” and needs to be picked up by the customer.
What makes this phishing attack stand out is that the threat actor used the XSS vulnerability in UPS.com to modify the site’s regular page to look like a legitimate download page.
This vulnerability allowed the threat actor to distribute a malicious document through a remote Cloudflare worker but make it look like it was being downloaded directly from UPS.com.