A newly identified phishing-as-a-service (PhaaS) operation, dubbed Morphing Meerkat by researchers, has adopted DNS-over-HTTPS (DoH) to bypass traditional security measures. This tactic allows the group to dynamically serve phishing pages while evading detection by network monitoring tools. The operation targets over 114 brands and operates in multiple languages, including English, Spanish, Russian, and Chinese1.
Executive Summary for Security Leaders
The Morphing Meerkat campaign represents a significant evolution in phishing tactics, combining PhaaS accessibility with advanced evasion techniques. By using DoH, attackers obscure DNS queries, making it harder for defenders to identify malicious domains. The operation also abuses MX records to identify email providers, increasing the effectiveness of credential harvesting2.
- Threat: PhaaS operation using DoH for evasion
- Targets: 114+ brands across multiple sectors
- Tactics: MX record abuse, multi-language phishing kits
- Detection Challenge: Encrypted DNS queries bypass traditional monitoring
Technical Analysis of the Attack Chain
The operation begins with phishing emails containing links that resolve through DoH-enabled DNS servers. This prevents security tools from inspecting the DNS queries that would normally reveal malicious domains. Researchers observed the group using dynamically generated subdomains, with some campaigns generating over 12 new domains daily using domain generation algorithms (DGAs)3.
MX record analysis allows the attackers to identify the email provider of potential victims, enabling them to serve tailored phishing pages. For example, when targeting Office 365 users, the operation presents login pages that closely mimic Microsoft’s authentication interface. The use of DoH means these malicious domains don’t appear in standard DNS logs, significantly reducing detection opportunities4.
Detection and Mitigation Strategies
Network defenders should monitor for unusual patterns in HTTPS traffic, particularly connections to known DoH providers like Cloudflare (1.1.1.1) or Google (8.8.8.8). Suspicious indicators include:
| Indicator | Detection Method |
|---|---|
| High-volume DoH queries | Network traffic analysis |
| Unusually long DNS queries (>100 chars) | Endpoint monitoring |
| Rapid domain generation | DNS filtering solutions |
Microsoft recommends implementing DMARC, SPF, and DKIM email authentication protocols to reduce spoofed emails. For organizations that can’t block DoH entirely, solutions like Heimdal DNS Security can help monitor encrypted DNS traffic for anomalies5.
Broader Implications for Security Teams
The emergence of DoH-enabled phishing operations complicates traditional detection methods that rely on DNS query inspection. Security teams should consider deploying endpoint monitoring solutions capable of analyzing process behavior, as many DoH implementations create identifiable patterns in memory and network activity.
This case also highlights the growing professionalism of phishing operations. With turnkey services like Morphing Meerkat available for as little as $50/month, the barrier to entry for sophisticated attacks continues to lower. The operation’s multi-language support suggests targeting of global organizations, particularly those with international operations6.
Conclusion
The Morphing Meerkat operation demonstrates how attackers are adapting to improved security measures by leveraging emerging protocols like DoH. While DoH provides legitimate privacy benefits, its misuse by threat actors requires new approaches to detection and prevention. Organizations should prioritize monitoring encrypted DNS traffic and implement layered defenses including email authentication, endpoint protection, and user training.
As PhaaS operations continue to evolve, security teams must adapt their strategies to address both the technical and human elements of these threats. The combination of advanced evasion techniques with commoditized attack services represents a significant challenge for defenders across all sectors.
References
- “Phishing-as-a-service operation uses DNS-over-HTTPS for evasion,” BleepingComputer, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/phishing-as-a-service-operation-uses-dns-over-https-for-evasion/
- “Catching the big fish: Analyzing a large-scale phishing-as-a-service operation,” Microsoft Security Blog, 2021. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/
- “Grandoreiro banking Trojan unleashed,” IBM X-Force, 2024. [Online]. Available: https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/
- “How hackers use DNS tunneling to own your network,” Cynet, 2024. [Online]. Available: https://www.cynet.com/attack-techniques-hands-on/how-hackers-use-dns-tunneling-to-own-your-network/
- “DNS-over-HTTPS (DoH) risks and mitigations,” Heimdal Security, 2024. [Online]. Available: https://heimdalsecurity.com/blog/dns-over-https-doh/
- “Phishing guidance,” NCSC. [Online]. Available: https://www.ncsc.gov.uk/guidance/phishing
