Mar 27, 2025Ravie LakshmananEmail Security / Malware

Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.

DNS intelligence firm Infoblox is tracking the actor behind the PhaaS, the phishing kit, and the related activity under the moniker Morphing Meerkat.

“The threat actor behind the campaigns often exploits open redirects on adtech infrastructure, compromises domains for phishing distribution, and distributes stolen credentials through several mechanisms, including Telegram,” the company said in a report shared with The Hacker News.

One such campaign leveraging the PhaaS toolkit was documented by Forcepoint in July 2024, where phishing emails contained links to a purported shared document that, when clicked, directed the recipient to a fake login page hosted on Cloudflare R2 with the end goal of collecting and exfiltrating the credentials via Telegram.

Morphing Meerkat is estimated to have delivered thousands of spam emails, with the phishing messages using compromised WordPress websites and open redirect vulnerabilities on advertising platforms like Google-owned DoubleClick to bypass security filters.

It’s also capable of translating phishing content text dynamically into over a dozen different languages, including English, Korean, Spanish, Russian, German, Chinese, and Japanese, to target users across the world.

In addition to complicating code readability via obfuscation and inflation, the phishing landing pages incorporate anti-analysis measures that prohibit the use of mouse right-click as well as keyboard hotkey combinations Ctrl + S (save the web page as HTML), Ctrl + U (open the web page source code).

But what makes the threat actor truly stand out is its use of DNS MX records obtained from Cloudflare or Google to identify the victim’s email service provider (e.g., Gmail, Microsoft Outlook, or Yahoo!) and dynamically serve fake login pages. In the event, that the phishing kit is unable to recognize the MX record, it defaults to a Roundcube login page.

“This attack method is advantageous to bad actors because it enables them to carry out targeted attacks on victims by displaying web content strongly related to their email service provider,” Infoblox said. “

“The overall phishing experience feels natural because the design of the landing page is consistent with the spam email’s message. This technique helps the actor trick the victim into submitting their email credentials via the phishing web form.”