FedEx e-Order Notification Email Scam

The FedEx e-Order Notification Email Scam is a malicious spam (malspam) campaign that impersonates FedEx in an attempt to infect recipients' devices with malware. These fraudulent emails are carefully crafted to resemble genuine shipping notifications, making them appear trustworthy at first glance. However, a detailed analysis has confirmed that the messages are entirely fake and serve only one purpose: convincing recipients to open a dangerous attachment.

Recipients are strongly advised to ignore these emails and delete them immediately without opening any attached files.

The False Customs Storage Story

The scam emails claim that a shipment addressed to the recipient has been transferred to a FedEx Temporary Storage Area under the Airport Customs Directorate. According to the message, the package can only remain in storage for a limited period, typically 20 days, before further action is required.

To create a sense of urgency and legitimacy, the email instructs recipients to review an attached document containing customs clearance paperwork and information regarding storage fees. The goal is to pressure recipients into opening the attachment without carefully examining the message.

Fake Shipping Details Used to Build Credibility

To strengthen the illusion of authenticity, the emails contain various shipping-related details that resemble information found in legitimate logistics notifications. These details may include:

Arrival dates, tracking numbers, warehouse codes, registration numbers, and other shipment-related references.
Tables and formatting designed to mimic official transportation and customs documentation.

While these elements may appear convincing, they are simply fabricated details intended to make the scam seem genuine. FedEx has no involvement whatsoever in these emails.

The Dangerous Excel Attachment

The most harmful component of the scam is the attached Excel spreadsheet, commonly named:

fedex_awb_bl_tax_bill_document_receipt_payment_05_25_2026_00000000.xls

When opened, the file displays what appears to be a legitimate sales contract while remaining in Microsoft's Protected View mode. This document is merely a decoy designed to trick users into enabling editing features or interacting with embedded content.

Once those actions are taken, malicious code may execute and install malware on the victim's system.

Potential Malware Threats

Although the exact malware payload delivered by the attachment has not been conclusively identified, cybercriminals commonly use similar campaigns to distribute a wide range of threats. Possible malware types include trojans, spyware, keyloggers, ransomware, cryptocurrency miners, loaders, backdoors, and clipboard hijackers.

The consequences of a successful infection can be severe. Victims may experience stolen credentials, unauthorized account access, financial losses, identity theft, compromised personal data, degraded system performance, or complete device compromise.

Anyone who has already opened the attachment should immediately perform a comprehensive antivirus or anti-malware scan and investigate the system for signs of unauthorized activity.

How Malspam Campaigns Spread Malware

Malicious spam campaigns remain one of the most common methods for distributing malware. Attackers rely on deceptive emails that encourage recipients to open infected files or visit dangerous websites.

Common delivery methods include:

Malicious attachments disguised as documents, spreadsheets, PDF files, ZIP archives, executable files, JavaScript files, ISO images, and other seemingly harmless formats.
Fraudulent links that redirect users to compromised or fake websites where malware is automatically downloaded or users are instructed to execute malicious files manually.

In many cases, the infection process requires user interaction, such as enabling macros, activating editing mode, downloading additional files, or running embedded content.

Final Assessment

The FedEx e-Order Notification Email Scam is not a genuine shipping notification. It is a malicious email campaign that abuses the reputation of FedEx to distribute malware through a harmful Excel attachment. Opening the attached spreadsheet and interacting with its content may lead to malware infections, data theft, financial damage, identity theft, account compromise, and other serious cybersecurity incidents.

Any email claiming to contain customs clearance documents or shipment-related information should be carefully verified before action is taken. When there is any doubt regarding the legitimacy of a message, the safest approach is to avoid opening attachments, refrain from clicking links, and delete the email immediately.