Spoofed email addresses in malspam campaigns continue to work for attackers who use them to bypass security mechanisms and trick victims into triggering the malware. Despite safeguards like DKIM, DMARC, and SPF designed to prevent attackers from spoofing well-known domains, attackers are getting around these by abusing neglected domains that lack DNS records, making them harder to detect.
Researchers have identified how these spam campaigns use disused domains to distribute phishing emails containing QR codes to malicious sites. In one campaign, active since December 2022, the spammers target users with tax-related lures and urge them to divulge personal and financial information.
Other phishing techniques observed include impersonating big brands like Amazon and Mastercard and redirecting users to fake login pages to steal credentials. Extortion emails claiming access to compromising videos via malware have also been noted to demand Bitcoin payments.
Instructions to use Alipay/WeChat to scan the QR code (Source: Infoblox)
The most recent malspam campaigns target industries like government and construction, using trusted platforms such as Canva and Dropbox to host phishing pages. These often deploy Cloudflare Turnstiles to evade detection by email security tools. The attackers have also launched SMS phishing schemes in the UAE, which revolve around the impersonation of law enforcement with fake payment requests.
Researchers report that generic top-level domains (gTLDs) like .top and .xyz are increasingly used for cybercrime and now account for 37% of malicious domains due to low registration fees and lax regulations.
Attackers also employ tools like PhishWP, a malicious WordPress plugin, to create fake payment gateways to harvest sensitive user information in real-time. Evolving strategies emphasize the persistent challenges in combating phishing and domain abuse. [1]
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Red Sky provides indicators of compromised information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-2-6/
© 2025 Red Sky Alliance Corporation. All rights reserved.
Comments