PhaaS actor uses DoH and DNS MX to dynamically distribute phishing

March 31, 2025, 7:57 p.m.

Description

Infoblox discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands.

External References

https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/
https://otx.alienvault.com/pulse/67eaf35a20355ae846b8269d
Tags
phishing
cloud
malspam
2025-03-31
morphing meerkat

Date

  • Created: March 31, 2025, 7:56 p.m.
  • Published: March 31, 2025, 7:56 p.m.
  • Modified: March 31, 2025, 7:57 p.m.

Indicators

  • 5.230.210.77
  • 5.230.209.74
  • 45.133.174.25
  • 194.169.172.188
  • 185.229.66.117
  • 185.209.161.155
  • 175.9.54.154
  • 173.224.126.37
  • 122.183.248.102
  • 107.173.166.107
  • 109.200.24.11
  • 185.117.90.212
  • zeinabghasemi.ir
  • truck-parts.nl
  • nfond.com
  • movesfitnesszoom.co.uk
  • jeel.top
  • hexatimes.com
  • foxmail.net
  • carriertrucks.com
  • 38474.com
Download all indicators here!

Attack Patterns

  • Morphing Meerkat