Phishing-as-a-Service (PhaaS) platforms continue to evolve with alarming sophistication, as cybersecurity experts have recently exposed a clever new technique known as “Morphing Meerkat.” This innovative approach uses Domain Name System (DNS) mail exchange (MX) records to create highly convincing fake login pages for over 100 well-known companies.
At first glance, Morphing Meerkat might seem like just another spam campaign flooding email inboxes. However, beneath the surface lies a sophisticated operation employing cutting-edge tactics that make it significantly more dangerous and challenging to detect—especially for individuals without technical expertise.
In a blog post on 27 March, Infoblox researchers revealed that they first observed campaigns using the phishing kit as early as January 2020. Initially, the kits targeted only Gmail, Outlook, AOL, Office 365, and Yahoo. Without a translation module, the phishing templates displayed text solely in English.
The phishing kits changed in July 2023 to load phishing URLs dynamically using DNS MX records. Today, these kits can also translate content in real time, adapting to a victim’s web profile and supporting over a dozen languages.
Inside the Phishing-as-a-Service Morphing Meerkat Attack Using DNS MX Records and Open Redirection
Morphing Meerkat’s smart use of MX data for phishing operations has gone mostly unreported and unrecorded, even though it has continuously used the same strategies and essential resources over this time.
Morphing Meerkat is a Phishing-as-a-Service (PhaaS) platform offering a complete toolkit for launching scalable and evasive phishing campaigns with minimal technical expertise. It has a centralised SMTP infrastructure for sending spam emails, and investigators traced 50% of the messages to HostPapa (US) and iomart (UK).
The platform can impersonate over 114 email and service providers, including Gmail, Outlook, Yahoo, DHL, Maersk, and RakBank. It uses urgent subject lines like “Action Required: Account Deactivation” to deceive recipients. It spoofs sender identities and addresses and sends messages in several languages, such as English, Spanish, Russian, and Chinese.
The use of a series of vulnerabilities, such as open redirection on adtech platforms like Google DoubleClick, hijacked WordPress sites, fake domains, and free hosting services, redirects victims who click on malicious links. Morphing Meerkat is designed to bypass security measures through:
- Open redirect exploitation on adtech servers
- Redirection via compromised WordPress sites
- DNS MX record queries to identify victim email providers
- Mass spam delivery and dynamic content tailoring
Once the victim hits the final phishing page, the kit queries their email domain’s MX record using DoH (via Google or Cloudflare). To maximise credibility and the chance of credential theft, a fake login page appears that is pre-filled with the victim’s email address.
After victims input their login credentials, PHP scripts on phishing pages and AJAX queries to external servers exfiltrate the data to threat actors. Attackers may use Telegram bot webhooks to transmit stolen data in real time.
To increase the likelihood of success, the phishing site displays an error message: “Invalid Password. Please enter your email and the correct password,” prompting victims to re-enter their credentials.
A notable campaign using the PhaaS toolkit was documented by Forcepoint in July 2024. In this attack, phishing emails contained links to a fake shared document. Clicking the link redirected victims to a counterfeit login page hosted on Cloudflare R2, designed to steal credentials and forward them via Telegram. After the victims submitted their details, the system redirected them to the legitimate login page to avoid suspicion.
Phishing landing pages use both obfuscation and inflation to hide code readability, as well as anti-analysis measures. These include disabling right-click functionality and blocking keyboard shortcuts like Ctrl + S (save page as HTML) and Ctrl + U (view source code).
However, what differentiates the threat actor is its use of DNS MX records (retrieved from Cloudflare or Google) to identify the victim’s email provider (e.g., Gmail, Outlook, Yahoo!) and dynamically build fake login pages.
The Morphing Meerkat phishing kit uses DNS over HTTPS (DoH) and DNS MX records, making it more sophisticated than similar phishing kits. DoH encrypts DNS requests using HTTPS to prevent monitoring, whereas MX records direct email traffic by identifying mail servers for a certain domain. When a victim clicks a phishing link, the kit queries Google or Cloudflare to fetch their email provider’s MX records, ensuring a more convincing attack.
Infoblox mentioned in the blog post:
This attack method is advantageous to bad actors because it enables them to carry out targeted attacks on victims by displaying web content strongly related to their email service provider. The overall phishing experience feels natural because the design of the landing page is consistent with the spam email’s message. This technique helps the actor trick the victim into submitting their email credentials via the phishing web form.
Cybercriminals use sophisticated tactics such as DNS masking and open redirection to bypass security measures, making phishing attacks more difficult to detect.
Increasing the DNS security of a business is one practical strategy to protect business. This involves restricting DNS access to stop users from contacting DoH servers and preventing pointless connections to file-sharing and adtech sites that are not necessary to business operations.
Businesses can minimise their attack surface and limit the opportunity for attackers to deliver threats by restricting access to non-essential services. Security teams should also keep a close eye on DNS queries, looking for abnormalities such as unusual MX record setups or unexpected domain resolves.
Even the most advanced Phishing-as-a-Service kits still rely on human interaction. Businesses can address this by regularly implementing adaptive phishing training that mimics actual attack strategies.
Furthermore, the likelihood of phishing emails reaching employees’ inboxes is reduced by using robust email authentication procedures, such as DMARC, DKIM, and SPF. Although they are not foolproof, these precautions provide an invaluable line of defense against phishing attacks.
Phishing Tackle offers a free 14-day trial to help train your team in identifying and avoiding phishing scams. Combining robust security measures with user awareness can significantly reduce the risk of cyber threats.
