Cybercriminals Exploit Fake Spam Filter Alerts to Steal Email Credentials Instantly
In a sophisticated phishing campaign, cybercriminals are impersonating legitimate spam-filter notifications to deceive users into divulging their email login credentials. These fraudulent emails claim that the recipient’s organization has recently upgraded its Secure Message system, resulting in some messages being held back from the inbox. The email prompts users to click a Move to Inbox button to retrieve these supposedly pending messages. While appearing as a routine system notification, this is a calculated ploy to harvest sensitive information.
The phishing emails are meticulously crafted to appear authentic, featuring generic message titles and delivery reports that seem routine. An included unsubscribe link further enhances the illusion of legitimacy. However, both the main action button and the unsubscribe link redirect victims through a compromised domain before landing on the actual phishing site. Notably, the attackers encode the recipient’s email address as a base64 string in the URL, allowing the fake login page to automatically display the user’s domain. This personalization increases the credibility of the scam.
Security analysts have observed that this campaign employs heavily obfuscated code within the fake login page, making it challenging to detect its malicious intent. Unlike traditional credential harvesting methods that collect data upon form submission, this attack utilizes websocket technology to capture user input in real-time. A websocket maintains a continuous connection between the user’s browser and the attacker’s server, enabling immediate data transmission without page refreshes. Consequently, as users type their email and password into the fraudulent form, the attackers receive each character instantaneously. This real-time interception allows cybercriminals to access email accounts, cloud storage, and other connected services within seconds.
Furthermore, the websocket connection enables attackers to prompt users for additional information, such as two-factor authentication (2FA) codes. By capturing these codes, they can bypass accounts protected with extra security layers, rendering traditional 2FA measures ineffective against this type of attack.
