A phishing kit was observed using DNS mail exchange (MX) records that direct emails to mail servers to dynamically serve fake, tailored login pages that’s spoofed more than 100 brands.
The threat actor behind the campaigns often exploits open redirects on adtech infrastructure, then compromises domains for phishing distribution and finally distributes stolen credentials through several mechanisms, including Telegram.
In a March 27 blog post, Infoblox researchers said they found many variations of the phishing kit and assessed that they likely stem from a phishing-as-a-service (PHaaS) platform they call "Morphing Meerkat."
The researchers said they first saw campaigns that used the phishing kit as early as January 2020. Originally, the kits only targeted Gmail, Outlook, AOL, Office 365, and Yahoo; they had no translation module, so the kits could only display English text in the phishing templates.
However, over time, Morphing Meerkat expanded the library of templates and the Infoblox researchers eventually saw 114 brand designs. By July 2023, kits could dynamically load phishing pages based on DNS MX records. The phishing kits currently can also dynamically translate text based on the victim’s web profile and target users in more than a dozen languages.
"Although using MX records in a phishing campaign to more directly customize landing pages isn't new, I do think this is the first time I've heard of it possibly being automated or as part of a big phishing campaign that also contains so many other deftly handled components,” said Roger Grimes, data-driven defense analyst at KnowBe4.
Grimes pointed out that because social engineering is involved in 70% to 90% of successful hacking attacks, it’s important that all users understand the sophistication of today's phishing attacks, including that landing pages could look very, very similar to their real web pages.
“This has to be drilled into them often ... with simulated phishing tests incorporating similar strategies on a monthly to weekly basis,” said Grimes. “Organizations that only educate and test once a year or once a quarter are at far larger risk of being successfully compromised.”
Heath Renfrow, co-founder and CISO at Fenix24, added that by leveraging legitimate DNS infrastructure to host or redirect to phishing pages, Morphing Meerkat introduces a level of stealth that can bypass traditional detection methods. Renfrow said it isn’t just a case of spoofed domains: it’s a calculated abuse of trust in core internet protocols, which makes it harder for defenders to spot and block malicious activity without deeper DNS visibility.
“Most PhaaS kits rely on lookalike domains or static infrastructure,” said Renfrow. “Morphing Meerkat is dynamic, it continuously rotates phishing pages and brand impersonations through DNS tricks, particularly by spoofing MX records and mimicking legitimate mail servers. This lets threat actors maintain higher uptime for malicious pages and reduce blacklisting effectiveness. It also blurs the line between email and web-based attacks, increasing the challenge for defenders.”
Renfrow offered the following five tips to defenders:
