Raven security researchers uncovered a sophisticated, multi-wave phishing campaign that marked a significant departure from conventional phishing tactics.
Rather than spoofing trusted domains or deploying fake sender addresses, the attackers exploited the legitimate infrastructure of Nifty.com, a reputable Japanese ISP, to distribute their phishing emails.
By registering free consumer accounts with Nifty.com, the adversaries ensured that all outgoing messages passed critical authentication checks such as SPF, DKIM, and DMARC.
This legitimate use of the domain allowed the campaign to seamlessly bypass most secure email gateways (SEGs), which typically rely on these validation protocols as primary lines of defense.
The campaign unfolded in several adaptive waves, starting with an initial “Execution Agreement” lure on April 28, followed by subsequent waves that not only repeated this theme but also introduced variants, such as a “SAFE agreement” lure by mid-May.
The final week of the campaign saw a sudden surge, with dozens of phishing emails dispatched within minutes, suggesting automation and possible use of pre-built phishing kits.
The consistent thematic focus on business workflows and contractual agreements, paired with precise timing, indicated a well-orchestrated attack likely underpinned by sophisticated tooling.
Anatomy of the Attack
Key to the campaign’s success was its meticulous evasion of common detection strategies.
Unlike traditional phishing emails laden with malicious links in the body, these messages contained no suspicious links, making them appear benign at first glance.
Instead, the attackers delivered their payload via email attachments mainly PDFs and HTML files bearing filenames such as “SAFE_Terms_May2025.pdf” and “Execution_Agreement.html.”
The HTML attachments executed redirect chains that first pointed to legitimate-seeming marketing trackers before stealthily rerouting victims to phishing sites operated on obscure domains using obfuscated JavaScript.
Notably, email addresses were embedded in the URL fragment, enabling more granular recipient tracking.
The phishing emails also demonstrated advanced evasion techniques, including heavy HTML padding with whitespace to bypass content filters, multipart MIME structures to conceal payloads, and deliberate display name spoofing with legitimate business branding such as “Name via DocuSign.”
The messages themselves were impeccably crafted, lacking the usual indicators of phishing, such as poor grammar, awkward phrasing, or obvious linguistic errors a sign of either highly polished phishing kits or AI-generated content.
Threat Classification
Despite their sophistication, the emails triggered alerts at Raven due to subtle behavioral anomalies.
Analysts observed unusual sender-recipient pairings, repeated contractual lures targeting disparate recipients, consistent brand impersonation, and identical attachment structures across multiple attack waves.
The redirect chains though initially masked were eventually traced to flagged infrastructure, confirming the campaign’s malicious nature.
This campaign stands out for its abuse of authenticated Nifty.com accounts, leveraging legitimate mail servers and IP addresses to blend with ordinary traffic and evade blacklists.
The attack vector was fundamentally based on redirect-driven phishing, delivered through well-camouflaged attachments.
The end goal was credential harvesting, including the theft of session tokens (notably for Gmail), representing a medium-to-high level of sophistication with clear signals of automation and potential use of advanced phishing kits.
The effectiveness of the campaign exposes persistent gaps in legacy email security architectures.
By relying primarily on authentication failures, blacklists, and obvious malicious indicators in message headers or body content, these defenses left organizations vulnerable to a new breed of phishing that weaponizes legitimate platforms.
This incident underscores the urgent need for behavioral detection, contextual analysis, and continuous adaptation as attackers increasingly blend into trusted digital ecosystems.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
