Cybercriminals have launched a new phishing campaign that tricks users by impersonating legitimate spam-filter notifications from their own company.
These fake emails claim that your organization recently upgraded its Secure Message system and that some pending messages failed to reach your inbox.
The message urges you to click the “Move to Inbox” button to retrieve the supposedly held emails. What appears to be a helpful system notification is actually a dangerous trap designed to steal your email login details.
The phishing email looks surprisingly convincing, displaying generic message titles and delivery reports that seem routine and harmless.
It even includes an unsubscribe link to make it appear more legitimate. However, both the main button and the unsubscribe link redirect victims through a compromised cbssports[.]com redirect before landing on the actual phishing site hosted on mdbgo[.]io.
Email Delivery Reports (Source – Malwarebytes)
The attackers encode your email address as a base64 string in the URL, allowing the fake login page to display your domain automatically, making the scam look even more personalized and trustworthy.
Following initial warnings from Unit42 researchers about this campaign, Malwarebytes security analysts identified that the attack has become more advanced and continues to change rapidly.
The fake login page is not just a simple credential harvester but uses heavily obfuscated code to hide its true purpose.
Websocket-Based Credential Harvesting
The technical setup behind this phishing attack sets it apart from traditional methods. Instead of simply collecting your username and password after you click submit, this campaign uses websocket technology to steal your information instantly.
A websocket creates a continuous connection between your browser and the attacker’s server, similar to keeping a phone line open without hanging up.
This allows data to flow in both directions immediately, without refreshing the page.
When you type your email and password into the fake login form, attackers receive your credentials in real time as you enter each character.
This gives them the ability to access your email account, cloud storage, and other connected services within seconds.
The websocket connection also lets attackers send you additional prompts asking for two-factor authentication codes, making it possible to bypass even accounts protected with extra security layers.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Beware of Phishing Emails as Spam Filter Alerts Steal Your Email Logins in a Blink appeared first on Cyber Security News.
