Today, virtually everyone shops online and expects electronic notifications from package couriers regarding order status. That’s why a recently discovered phishing campaign, purporting to be an email from UPS, could have potentially traversed inboxes. The email states that the person’s package had an “exception” and directs them to download an invoice for pickup. Additionally, the email is filled with multiple legitimate links that mask its malicious intent. This phishing campaign is particularly notable because the threat actor utilized a cross-site scripting (XSS) vulnerability on the UPS website to distribute a malicious document purporting to be an invoice – making the file appear to be downloaded directly from UPS.com. XSS is a very common weakness in websites and consistently tops MITRE’s Common Weakness Enumeration (CWE) list. According to BleepingComputer, the XSS vulnerability on UPS.com has been fixed; however, this scam demonstrates the sophistication attackers employ in their phishing campaigns. For additional information and analysis on this campaign, visit BleepingComputer.