A newly discovered phishing-as-a-service (PhaaS) operation known as Morphing Meerkat has been identified as using the DNS over HTTPS (DoH) protocol to evade detection. The operation, which has been active since at least 2020, leverages sophisticated techniques to target victims with dynamic spoofed login pages for over 114 brands, including major email providers.
Research from Infoblox reveals that Morphing Meerkat facilitates a centralized SMTP infrastructure for launching extensive phishing campaigns. Approximately half of the identified phishing emails originate from internet services provided by iomart in the UK and HostPapa in the US. These attacks employ urgent subject lines designed to provoke immediate action from recipients, diversifying delivery across various languages.
Upon clicking the malicious link within the emails, victims are subjected to a chain of redirection exploits that often involve compromised ad tech platforms such as Google DoubleClick. This series of redirects ultimately leads to the deployment of a phishing kit that queries the victim’s email domain’s MX record using DoH via Google or Cloudflare. This method significantly enhances the operation’s evasion capabilities, processing DNS queries client-side under encrypted requests.
Once the phishing kit has loaded, it displays a fake login page pre-filled with the victim’s email address. Any credentials entered are siphoned off to external servers through AJAX requests. To further manipulate victims, the site generates an error message encouraging them to re-enter their password, and upon success, redirects them to a legitimate site to diminish suspicion.
As a recommendation against such evolving threats, experts advise implementing stricter DNS controls to prohibit communication with DoH servers and limiting access to ad technology and file-sharing resources deemed non-essential to business operations. The complete set of indicators of compromise related to the Morphing Meerkat activity is publicly available on this GitHub repository.