A newly uncovered phishing-as-a-service (PhaaS) platform, dubbed Morphing Meerkat, is dynamically impersonating over 114 brands by abusing victims’ DNS MX records to serve tailored phishing pages. Discovered by Infoblox, this toolkit automates the detection of email providers (e.g., Gmail, Outlook) and delivers corresponding fake login screens, significantly increasing its effectiveness.
TL;DR: Key Takeaways
- Threat Actor: Tracked as Morphing Meerkat by Infoblox.
- Technique: Queries DNS MX records to identify email providers and serve brand-specific phishing pages.
- Evasion: Uses Cloudflare R2, compromised WordPress sites, and open redirects (e.g., Google DoubleClick).
- Scale: Thousands of spam emails observed in July 2024 campaigns.
- Mitigation: Monitor MX record queries, block known phishing domains, and train users on open redirects.
Technical Breakdown
The phishing kit begins by querying the victim’s DNS MX records to identify their email service provider. If the provider is recognized (e.g., Microsoft 365, Gmail), the kit serves a counterfeit login page mimicking the legitimate interface. For unrecognized providers, it defaults to a generic Roundcube email template.
To evade detection, Morphing Meerkat employs several tactics:
- Hosting: Leverages Cloudflare R2 storage and compromised WordPress sites.
- Open Redirects: Exploits ad platforms like Google DoubleClick to bypass URL filters.
- Anti-Analysis: Disables right-click and keyboard shortcuts (Ctrl+S, Ctrl+U) to hinder manual inspection.
The kit supports 15+ languages, including English, Korean, and Spanish, broadening its target scope. Stolen credentials are exfiltrated via Telegram bots, as observed in a July 2024 campaign documented by Forcepoint.
Relevance to Security Teams
For defenders, the abuse of DNS MX records introduces a new challenge: traditional phishing detection tools may miss these dynamically generated pages. The kit’s use of trusted domains (e.g., via open redirects) further complicates filtering.
Recommended Actions:
- Monitor DNS logs for unusual MX record queries, especially from unfamiliar IPs.
- Block known phishing domains hosted on Cloudflare R2.
- Educate users to scrutinize URLs for open redirects (e.g.,
example.com/redirect?url=phishing.site).
Conclusion
Morphing Meerkat represents a shift in PhaaS sophistication, combining automation with infrastructure abuse. Its success hinges on the difficulty of detecting MX-record-driven attacks at scale. Proactive monitoring and user awareness are critical to mitigating this threat.
References
- Infoblox, “[New Morphing Meerkat Phishing Kit Mimics 114 Brands Using Victims’ DNS Email Records](https://thehackernews.com/2025/03/new-morphing-meerkat-phishing-kit.html)”. [Accessed: 2025-03-15].
- Jack Devault II, “[LinkedIn Post on Morphing Meerkat](https://www.linkedin.com/posts/wdevault_new-morphing-meerkat-phishing-kit-mimics-activity-7311074432771375104-xX3z)”. [Accessed: 2025-03-15].
