The 11-Step Trap: How a Fake DHL OTP Trick Steals Your Password

Researchers at Forcepoint X-Labs have recently identified a clever phishing campaign targeting everyday consumers by impersonating the global logistics giant, DHL. Unlike high-level corporate espionage, this “lightweight” attack focuses on individuals, using psychological manipulation rather than technical complexity to harvest passwords.

The campaign is defined by an 11-step attack chain designed to move a victim from a spoofed email to a final credential theft while systematically lowering their guard.

The attack begins with an email that looks like a standard DHL shipment notice, often with the subject line “DHL EXPRESS WAYBILL CONFIRMATION REQUIRED”.

While the email uses official branding, researchers pointed out a glaring technical mismatch: “The email uses the display name DHL EXPRESS, but the envelope/from domain is cupelva[.]com”. Interestingly, the message often passes DKIM authentication checks for the attacker’s domain, which can trick automated filters into thinking the email is legitimate.

Once a victim clicks the link, they aren’t immediately asked for a password. Instead, they face a “parcel-themed OTP interface”. This is where the deception deepens. The page generates a six-digit code locally using simple JavaScript—meaning there is no real server-side verification happening. As the report notes: “The victim is being asked to repeat a number already displayed on the screen”.

This step serves three psychological purposes:

• Creates an illusion of security.
• Builds user trust by making the process feel like a natural, multi-step workflow.
• The page waits two seconds before showing the OTP to “mimic processing,” a classic social engineering trick to reinforce the illusion of a working system.

After the “verification” is complete, the victim is redirected to a DHL-branded login page. To make it more convincing, the kit uses URL-based identity handling to carry the victim’s email address forward so it is pre-filled on the login screen. The only thing the user needs to enter is their password. Before the data is sent to the attacker, the kit collects victim telemetry, including:

• Public IP address and geolocation (City, Region, Country).
• Device fingerprinting (OS, browser type, and hardware).
• Timestamp and the specific tracking number used in the lure.

To keep infrastructure costs low and avoid detection, the attackers use EmailJS, a legitimate client-side service, to ship the stolen data directly to a mailbox: slatty077@tutamail[.]com. Finally, the victim is redirected to the real dhl.com website. This “closes the loop,” leaving the victim believing the login worked and reducing the chance they will immediately report the incident.

This campaign proves that phishing doesn’t need to be high-tech to be effective. As Forcepoint X-Labs concludes, “The OTP page builds trust. The credential harvesting page spends it”.