A sophisticated phishing operation has emerged that creatively leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims’ email providers. Dubbed "Morphing Meerkat," this phishing-as-a-service (PhaaS) platform can mimic over 100 brands, marking a significant evolution in phishing techniques that creates highly convincing impersonations that are difficult for users to distinguish from legitimate login pages.
The threat begins with spam emails containing malicious links that redirect victims through a series of steps to the phishing landing page. These emails typically employ urgent messaging around account deactivation or document delivery, compelling users to click embedded hyperlinks. The links often point to compromised WordPress websites, fraudulent accounts on free web hosting services, or exploit open redirects on advertising networks to bypass email security systems.
According to researchers at Infoblox, the operation has been active since at least January 2020 and has maintained core infrastructure while continuously evolving its capabilities. The threat actor behind this operation has been identified as Morphing Meerkat, which operates a sophisticated PhaaS platform.
At the core of Morphing Meerkat’s operation is its innovative use of DNS MX records. The platform queries the MX record of a victim’s email domain using DNS over HTTPS (DoH) services from providers like Cloudflare and Google. It then uses this information to dynamically load a phishing template that closely matches the victim’s email service provider, creating a more convincing and personalized phishing experience.
Infoblox researchers noted, “We have discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands.” The PhaaS platform maintains a library of at least 114 unique email brand and login designs, allowing it to accurately spoof a wide range of email services. This technique enables the attackers to conduct highly targeted phishing campaigns at scale, increasing the likelihood of successful credential theft.
The technical implementation of the phishing kit is particularly dangerous. It performs a DNS MX record lookup using DoH services, allowing it to precisely identify the victim’s email service provider without maintaining an extensive domain mapping database. The phishing kit then maps the returned MX record to a matching phishing template, automatically filling the username field with the victim’s email address.
If the victim submits their credentials, the data is exfiltrated to the attackers via email, PHP scripts, AJAX requests, or messaging platforms like Telegram. To evade detection, the kit employs multiple security techniques, including code obfuscation, keyboard monitoring to prevent inspection, and intelligent redirects to legitimate websites after credential theft.
As the operation has evolved, it has integrated dynamic translation capabilities, allowing it to serve phishing content in over a dozen languages based on the victim’s browser settings. This multilingual capability, combined with the use of compromised WordPress sites and free web hosting services for distribution, allows the attackers to effectively target users worldwide.
According to the report, Morphing Meerkat employs multiple security evasion features to hinder threat analysis and bypass phishing protection systems. These include code obfuscation, inflation of script size with non-functional code, and exploitation of open redirects on adtech infrastructure. The platform also uses client-side email libraries and messaging app APIs to exfiltrate stolen credentials, making detection more challenging.
The discovery of Morphing Meerkat highlights the evolving sophistication of phishing attacks and the need for enhanced DNS security measures. Organizations are advised to implement strong DNS controls, limit access to non-essential services, and educate users about the risks of phishing attempts that may closely mimic legitimate login pages.
Infoblox pointed out that the Morphing Meerkat phishing kit shows how cybercriminals exploit security blind spots using advanced techniques like DNS cloaking and open redirects. Organizations can protect themselves against these kinds of attacks by adding a strong layer of DNS security to their systems. This involves tightening DNS control so that users cannot communicate with DoH servers or blocking user access to adtech and file sharing infrastructure not critical to the business.
In summary, the Morphing Meerkat operation illustrates a growing trend in phishing tactics, where attackers leverage legitimate technologies to enhance their schemes. As phishing techniques continue to evolve, both organizations and users must remain vigilant and informed to safeguard against these sophisticated threats.
