Phishing Emails Disguised as Spam Filter Alerts Are Stealing Logins
Summary:
A rapidly evolving phishing campaign is impersonating internal “spam filter” or “secure message” alerts to trick users into handing over their credentials. The emails claim that the organization has upgraded its secure messaging system and that several “pending messages” were not delivered to the user’s inbox. To appear legitimate, the email includes fabricated message titles, a “Move to Inbox” button, and even an unsubscribe link, all designed to mimic routine internal notifications. Both links route through a cbssports[.]com redirect to avoid detection before landing on a phishing page.
The phishing site automatically inserts the victim’s domain to make the page look personalized and trustworthy. Unlike earlier versions noted by Unit42, this iteration uses heavily obfuscated code and a websocket-based credential capture mechanism, allowing attackers to receive credentials, and even prompt for additional 2FA codes in real time. This gives them immediate access to email accounts, cloud storage, files, and any services tied to the compromised email identity.
Security Officer Comments:
This campaign is notable for its blend of legitimate-looking internal alerts, trusted redirect infrastructure, and real-time credential harvesting, an increasingly common and dangerous trend. The use of websockets gives the attacker an interactive foothold, turning a simple phish into a live session hijack. Organizations should expect this technique to continue evolving and should reinforce executive and employee awareness, enhance detection of unusual login flows, and flag suspicious redirects or inbox-delivery prompts that mimic internal systems.
Suggested Corrections:
In phishing attempts like these, two simple rules can save you from lots of trouble.
Other important tips to stay safe from phishing in general:
https://www.malwarebytes.com/blog/n...sed-as-spam-filter-alerts-are-stealing-logins
A rapidly evolving phishing campaign is impersonating internal “spam filter” or “secure message” alerts to trick users into handing over their credentials. The emails claim that the organization has upgraded its secure messaging system and that several “pending messages” were not delivered to the user’s inbox. To appear legitimate, the email includes fabricated message titles, a “Move to Inbox” button, and even an unsubscribe link, all designed to mimic routine internal notifications. Both links route through a cbssports[.]com redirect to avoid detection before landing on a phishing page.
The phishing site automatically inserts the victim’s domain to make the page look personalized and trustworthy. Unlike earlier versions noted by Unit42, this iteration uses heavily obfuscated code and a websocket-based credential capture mechanism, allowing attackers to receive credentials, and even prompt for additional 2FA codes in real time. This gives them immediate access to email accounts, cloud storage, files, and any services tied to the compromised email identity.
Security Officer Comments:
This campaign is notable for its blend of legitimate-looking internal alerts, trusted redirect infrastructure, and real-time credential harvesting, an increasingly common and dangerous trend. The use of websockets gives the attacker an interactive foothold, turning a simple phish into a live session hijack. Organizations should expect this technique to continue evolving and should reinforce executive and employee awareness, enhance detection of unusual login flows, and flag suspicious redirects or inbox-delivery prompts that mimic internal systems.
Suggested Corrections:
In phishing attempts like these, two simple rules can save you from lots of trouble.
- Don’t open unsolicited attachments
- Always check the website address in the browser before signing in. Make sure it matches the site you expect to be on.
Other important tips to stay safe from phishing in general:
- Verify the sender. Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive, but it can help you spot some attempts.
- Double-check requests through another channel if you receive an attachment or a link you weren’t expecting.
- Use up-to-date security software, preferably with a web protection component.
- Keep your device and all its software updated.
- Use multi-factor authentication (MFA) for every account you can.
https://www.malwarebytes.com/blog/n...sed-as-spam-filter-alerts-are-stealing-logins