Cybersecurity researchers at Trustwave SpiderLabs have identified a concerning escalation in phishing attacks, with threat actors increasingly exploiting legitimate email marketing platforms and cloud services to bypass security controls and deceive victims.
The security firm’s PageML URL-scanning system, which combines machine learning algorithms with deep learning components and URL intelligence frameworks, has detected a significant surge in sophisticated phishing campaigns.
These attacks leverage the trusted reputation of mainstream platforms to evade detection while targeting corporate credentials and sensitive information.
Email Marketing Platforms Under Siege
Cybercriminals are systematically abusing established email marketing services, with Klaviyo’s click-tracking domain ‘klclick3.com’ emerging as a primary target.
Attackers craft phishing emails with subjects such as “New Voicemail” that contain malicious redirections through legitimate tracking infrastructure.
In documented cases, phishing URLs disguised as voicemail notifications redirect victims through klclick3.com to final landing pages that employ the Chameleon phishing technique.
This sophisticated method dynamically fetches company information, including logos, from the victim’s email domain to create highly convincing fake login pages. The attackers utilize Clearbit URLs for image retrieval, a tactic commonly associated with advanced phishing kits.
Similarly, Drip Global’s ‘dripemail2.com’ domain has been compromised for DocuSign impersonation attacks.
These campaigns redirect victims through encoded URLs containing suspicious Base64 hashes that ultimately lead to fake Microsoft security pages designed to harvest corporate credentials.
Cloud Infrastructure Weaponized
Amazon Web Services has become another vector for phishing operations, with attackers hosting malicious content on S3 buckets to exploit the platform’s inherent trustworthiness.
Recent campaigns have targeted companies with “Payment” and “Account Payable” themed emails containing fake remittance attachments that redirect to Roundcube Webmail impersonation sites.
These AWS-hosted phishing pages incorporate Cloudflare Turnstile verification systems and AJAX templates for credential submission, representing an evolution in attack sophistication designed to circumvent automated security tools.
Advanced Evasion Techniques
The latest phishing campaigns demonstrate increased technical complexity, incorporating multiple layers of obfuscation and evasion.
Compromised legitimate domains, such as freight service provider ‘airswift.ae’, are being exploited to host “Secure Document” lures that redirect through Cloudflare’s human verification systems before delivering victims to heavily encoded Microsoft login impersonation pages.
These attacks specifically target legitimate business domains to maintain credibility while employing CAPTCHA verification and encoded scripts to evade automated detection systems.
The combination of trusted infrastructure abuse and advanced evasion techniques creates significant challenges for traditional security controls.
According to VirusTotal analysis, Trustwave’s security solutions demonstrated superior detection capabilities, identifying these sophisticated threats when other security vendors failed to recognize the malicious nature of the campaigns exploiting trusted platform infrastructure.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
