Guardio Labs cybersecurity experts have uncovered a massive phishing campaign called “SubdoMailing” that has compromised more than 8,000 subdomains belonging to major brands and institutions. This campaign, which sends millions of malicious emails each day, has targeted companies such as MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, and eBay, among others.
According to the researchers, the attackers behind the operation are manipulating DNS records to send spammy and malicious emails that appear to be authorized by well-known brands. By exploiting these hijacked subdomains, the attackers are able to bypass email security measures such as SPF, DKIM, SMTP Server, and DMARC, making it difficult for recipients to distinguish between legitimate emails and phishing attempts.
The researchers at Guardio Labs discovered the phishing campaign after flagging an email for unusual metadata patterns. This led them to uncover a scheme where hijacked subdomains were used to send fraudulent emails that appeared to be from trusted domains. By analyzing the DNS records of these subdomains, the researchers were able to track the origin of the emails and identify the attackers behind the operation.
The phishing campaign, dubbed “ResurrecAds” by the researchers, is believed to be orchestrated by a single threat actor who is reviving abandoned domains of major brands to exploit their reputation for malicious purposes. This actor has created a vast network of compromised domains and IP assets to facilitate their phishing activities, demonstrating a high level of technical sophistication and organization.
In response to this widespread phishing campaign, Guardio Labs has developed a tool called SubdoMailing Checker that allows organizations to check if their abandoned domains are being used in the operation. This tool provides detailed information about known abuses, the type of hijack, and relevant subdomains and SPF records that require attention.
The discovery of the SubdoMailing phishing campaign highlights the evolving tactics of cybercriminals who are constantly adapting to bypass email security measures. As organizations continue to strengthen their defenses against phishing attacks, threat actors are finding new ways to exploit vulnerabilities and undermine trust in established brands.
Overall, the SubdoMailing phishing campaign serves as a stark reminder of the importance of maintaining robust email security measures and staying vigilant against sophisticated cyber threats. By raising awareness about the tactics used by threat actors, cybersecurity experts hope to empower organizations to better protect themselves against malicious phishing campaigns.