Cybercriminals have launched a new, sophisticated phishing campaign that tricks users by impersonating legitimate spam filter notifications from their own companies.
These fake emails claim that the recipient’s organization recently upgraded its Secure Message system and that some pending messages failed to reach the inbox. The message then urges the user to click a "Move to Inbox" button to retrieve the supposedly held emails. This seemingly helpful system notification is actually a dangerous trap designed to steal email login credentials.
Advanced Credential Harvesting
The phishing email is highly convincing, displaying generic message titles and routine delivery reports. It even includes an unsubscribe link to appear more legitimate. However, both the main button and the unsubscribe link redirect victims through a compromised domain before landing on the actual phishing site.
The attack has become highly personalized: the attackers encode the victim's email address in the URL, allowing the fake login page to automatically display the correct company domain, making the scam look more trustworthy.
Real Time Credential Theft via Websockets
What sets this campaign apart is its technical setup, which moves beyond traditional credential harvesting. The fake login page uses websocket technology to steal information instantly.
A websocket creates a continuous, open connection between the victim's browser and the attacker’s server. As the victim types their email and password into the fake form, the attackers receive the credentials in real time, character by character. This gives the criminals the ability to access the victim's email account, cloud storage, and other connected services within seconds. The websocket connection also allows the attackers to immediately send additional prompts, enabling them to bypass accounts protected with two factor authentication (2FA).
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
