Phishing Campaigns Exploiting Domain Spoofing and Complex Routing
Threat actors have intensified phishing operations by leveraging complex email routing techniques and exploiting domain misconfigurations to successfully spoof trusted brands. These campaigns manipulate email infrastructure weaknesses, allowing attackers to send convincing phishing emails that appear to originate from legitimate domains, thereby increasing the likelihood of user engagement and credential compromise. Security researchers have observed that such tactics are being used to bypass traditional email security controls, making detection and prevention more challenging for organizations.
During the holiday season, attackers combined these advanced spoofing methods with social engineering, sending emails that mimic Docusign notifications and Christmas-themed documents to exploit user trust and seasonal distractions. Victims are redirected through multiple hosting platforms before landing on credential harvesting sites, and a secondary wave of attacks targets personal financial data through fake loan application forms. The campaigns demonstrate a sophisticated use of both technical and psychological tactics to maximize the impact on both corporate and individual targets.
Related Entities
Affected Products
Sources
3 more from sources like securityaffairs, microsoft security blog and cyber security news
Related Stories
Phishing Campaigns Exploiting Trusted Brands and Services
Threat actors have intensified their use of phishing campaigns by impersonating well-known brands and trusted online services to deceive victims and steal sensitive credentials. In one campaign identified by the Cofense Phishing Defense Center, attackers targeted individuals in social media and marketing roles by sending fake job application emails that appeared to originate from major companies such as Red Bull, Tesla, Google, and Ferrari. These emails used convincing language and branding, including up-to-date logos and tailored subdomains, to increase their legitimacy and lure recipients into clicking malicious links. The attackers further enhanced the credibility of their messages by spoofing the sender address to appear as if it came from a legitimate domain, such as Xero, which has been abused in previous phishing incidents. The phishing process often began with a CAPTCHA page to create a sense of security before redirecting victims to fraudulent login pages designed to harvest credentials. This approach demonstrates a sophisticated understanding of social engineering tactics and the value of resume and personal information in targeting specific job seekers. In a separate but similarly themed incident, a Malwarebytes employee was targeted by a phishing email that impersonated 1Password, a popular password manager. The email falsely claimed that the recipient's 1Password account had been compromised and urged immediate action, including changing the account password and enabling two-factor authentication. The message mimicked legitimate security alerts, referencing 1Password's Watchtower feature, but included subtle red flags such as a sender address not associated with 1Password and a malicious link disguised as a legitimate action button. The phishing link directed users to a typosquatted domain, onepass-word[.]com, rather than the official 1Password website. Interestingly, the email's 'Contact us' link routed through a legitimate support page but used a redirect service, further complicating detection. The use of Mandrillapp, a transactional email delivery service, added another layer of apparent legitimacy to the phishing attempt. Both campaigns highlight the increasing sophistication of phishing attacks, with threat actors leveraging trusted brands and services to bypass security filters and exploit user trust. The attackers' use of brand-specific subdomains, authentic-looking graphics, and familiar communication styles makes these phishing emails particularly convincing. By targeting individuals with tailored messages, such as job seekers or users of specific online services, the campaigns increase the likelihood of successful credential theft. The abuse of legitimate infrastructure, such as Xero's email services and Mandrillapp, demonstrates how attackers can exploit trusted platforms to evade detection. Security teams are advised to educate users about the signs of phishing, including checking sender addresses, scrutinizing URLs, and being wary of urgent requests for sensitive information. Organizations should also monitor for abuse of their brand in phishing campaigns and work with email providers to block malicious domains. The incidents underscore the need for robust email security solutions and ongoing vigilance against evolving social engineering tactics. As phishing campaigns continue to evolve, both individuals and organizations must remain alert to the latest techniques used by cybercriminals to compromise accounts and steal valuable data.
5 months agoCredential Phishing Campaigns Exploiting E-Signature and Note-Sharing Platforms
A widespread phishing campaign has targeted over 6,000 organizations across multiple sectors by impersonating trusted digital document platforms such as SharePoint and DocuSign. Attackers crafted emails that closely mimicked legitimate notifications, using authentic-looking subject lines, formatting, and logos to deceive recipients. The phishing links were obfuscated through services like Mimecast, Bitdefender, and Intercom, making them appear trustworthy and bypassing security filters. The primary objective was to lure users into credential theft pages, with industries such as consulting, tech, real estate, healthcare, and government being heavily targeted due to their reliance on document exchanges. In a related tactic, threat actors have begun abusing the NoteGPT platform, an AI-powered note-sharing service, to host malicious files and further disguise phishing attempts. Victims receive emails that appear to be secure document notifications from familiar brands like Microsoft OneDrive, but the links redirect to NoteGPT-hosted phishing pages. These emails often spoof legitimate company addresses and use plain, routine subject lines to avoid suspicion. Once users attempt to access the fake documents, they are prompted to enter their credentials, which are then harvested by the attackers. Both campaigns highlight the increasing sophistication of phishing operations leveraging trusted platforms and services to evade detection and compromise professional accounts.
3 months ago
Phishing Campaigns Evade Detection by Abusing AI and Trusted Email Security Controls
Security researchers reported multiple **phishing evasion** techniques designed to defeat modern email and AI-assisted defenses rather than relying only on traditional lure quality. One campaign analyzed by KnowBe4 used **graymail-style content padding** and extreme whitespace insertion to manipulate NLP-based email security tools, placing benign promotional text, legitimate signatures, and trusted links far below the visible phishing lure so scanners would weigh the message as less malicious. A separate LevelBlue-tracked trend showed attackers abusing enterprise **URL rewriting** and *Safe Links*-style protections by sending phishing through compromised accounts, causing security gateways to generate trusted wrapped URLs that could then be reused in campaigns targeting **Microsoft 365** users. The activity reflects a broader shift toward exploiting the gap between what users see and what automated systems inspect. In the URL-rewriting abuse, operators tied to **Tycoon2FA** and **Sneaky2FA** built multi-layer redirect chains across several trusted vendor domains to obscure final destinations and steal credentials and MFA session cookies through adversary-in-the-middle infrastructure, enabling account takeover, internal phishing, data theft, and sometimes ransomware follow-on activity. Related research from LayerX showed a different but thematically aligned evasion method in which **font rendering and CSS** make webpages display malicious commands to users while AI assistants parsing the underlying HTML see only harmless text, underscoring that attackers are increasingly targeting AI and trust-based inspection layers as part of phishing and social-engineering operations.
Today