{
  "name": "PhaaS actor uses DoH and DNS MX to dynamically distribute phishing",
  "slug": "phaas-actor-uses-doh-and-dns-mx-to-dynamically-distribute-phishing",
  "description": "Infoblox discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands.",
  "published": "2025-03-31T17:56:09+00:00",
  "created_at": "2025-03-31T17:56:09+00:00",
  "modified_at": "2025-03-31T17:57:53+00:00",
  "created_at_opencti": "2025-03-31T17:56:09+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-03-31",
    "cloud",
    "malspam",
    "morphing meerkat",
    "phishing"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "5.230.210.77"
      },
      {
        "id": "",
        "name": "5.230.209.74"
      },
      {
        "id": "",
        "name": "45.133.174.25"
      },
      {
        "id": "",
        "name": "194.169.172.188"
      },
      {
        "id": "",
        "name": "185.229.66.117"
      },
      {
        "id": "",
        "name": "185.209.161.155"
      },
      {
        "id": "",
        "name": "175.9.54.154"
      },
      {
        "id": "",
        "name": "173.224.126.37"
      },
      {
        "id": "",
        "name": "122.183.248.102"
      },
      {
        "id": "",
        "name": "107.173.166.107"
      },
      {
        "id": "",
        "name": "109.200.24.11"
      },
      {
        "id": "",
        "name": "185.117.90.212"
      },
      {
        "id": "",
        "name": "zeinabghasemi.ir"
      },
      {
        "id": "",
        "name": "truck-parts.nl"
      },
      {
        "id": "",
        "name": "nfond.com"
      },
      {
        "id": "",
        "name": "movesfitnesszoom.co.uk"
      },
      {
        "id": "",
        "name": "jeel.top"
      },
      {
        "id": "",
        "name": "hexatimes.com"
      },
      {
        "id": "",
        "name": "foxmail.net"
      },
      {
        "id": "",
        "name": "carriertrucks.com"
      },
      {
        "id": "",
        "name": "38474.com"
      }
    ],
    "intrusion_sets": [
      {
        "id": "d2e01d88-7f6e-44bd-a88f-1dc17f4c547d",
        "name": "Morphing Meerkat",
        "slug": "morphing-meerkat"
      }
    ],
    "attack_patterns": [
      {
        "id": "8598a502-2b24-4c8a-8ec3-45179f49e5b7",
        "name": "T1199"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "14da8ebf-e0b0-4d4e-9c83-56277980f266",
        "name": "T1134"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      }
    ]
  },
  "external_refs": [
    "https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/",
    "https://otx.alienvault.com/pulse/67eaf35a20355ae846b8269d"
  ]
}