{“lastseen”:”2025-11-12T16:05:10″,”description”:”Cybercriminals are spoofing \\”email delivery\\” notifications to look like they came from spam filters inside your own organization. The goal is to lure you to a phishing site that steals login credentials\u2014credentials that could unlock your email, cloud storage or other personal accounts.\\n\\nThe email claims that, due to an upgrade in the Secure Message system, some pending messages didn\u2019t make it to your inbox and are ready to be moved there now.\\n\\n\\n\\n\\u003e \u201cEmail Delivery Reports: Incoming Pending Messages\\n\\u003e \\n\\u003e We have recently upgraded our Secure Message system, and there are pending messages that have not been delivered to your Inbox.\\n\\u003e \\n\\u003e Failure Delivery Messages\\n\\u003e \\n\\u003e Email Delivery Reports For info@seychellesapartment.com\\n\\u003e \\n\\u003e Status : Subject: Date: Time:\\n\\u003e \\n\\u003e {A couple of message titles that are very generic and common as not to raise any suspicion}\\n\\u003e \\n\\u003e Move To Inbox (button)\\n\\u003e \\n\\u003e Note : The messages will be delivered within 1-2 hours after you receive a confirmation Mail Notice. If this message lands in your spam folder, please move it to your inbox folder\\n\\u003e \\n\\u003e Mail Encrypted by {spoofed domain} \u00a9 All Rights Reserved. | If you do not wish to receive this message Unsubscribe. (link)\u201d\\n\\nBoth the \\”Move to Inbox\\” button and the unsubscribe link abuse a cbssports[.]com redirect to reach the real phishing site located on the domain mdbgo[.]io, which was blocked by Malwarebytes.\\n\\n\\n\\nResearchers at Unit42 warned about this type of phishing campaign, so we decided to take a closer look. \\n\\nThe links pass the spoofed email address as a base64-encoded string to the phishing site. Going to that site, we were served this fake login screen with the target\u2019s domain already filled in\u2014making it look personalized and legitimate:\\n\\n\\n\\nContrary to Unit42\u2019s findings, we found that this version of the attack is more sophisticated and likely evolving quickly. The phishing site’s code is heavily obfuscated, and credentials are harvested through a websocket.\\n\\n\\n\\nA websocket keeps an open channel between your browser and the website\u2019s server\u2014like a phone call that never hangs up. This lets the browser and server send messages instantly back and forth, in both directions, without needing to reload the page. Cybercriminals love using websockets because they receive your details the instant you type them into a phishing site, and can even send prompts for additional information, such as two-factor authentication (2FA) codes.\\n\\nThis means that if you enter your email and password on such a site, attackers could instantly take control of your email, access cloud-stored files, reset other passwords, and impersonate you across services.\\n\\n## How to stay safe from phishing emails\\n\\nIn phishing attempts like these, two simple rules can save you from lots of trouble.\\n\\n * Don\u2019t open unsolicited attachments\\n * Always check the website address in the browser before signing in. Make sure it matches the site you expect to be on.\\n\\n\\n\\nOther important tips to stay safe from phishing in general:\\n\\n * **Verify the sender.** Always check if the sender\u2019s email address matches what you would expect it to be. It\u2019s not always conclusive, but it can help you spot some attempts.\\n * **Double-check requests** through another channel if you receive an attachment or a link you weren’t expecting.\\n * **Useup-to-date security software**, preferably with a web protection component.\\n * **Keep your device and all its software updated.**\\n * **Use multi-factor authentication** (MFA) for every account you can.\\n * **Use apassword manager. **Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.\\n\\n\\n\\nIf you already entered credentials on a page you don\u2019t trust, change your passwords immediately.\\n\\n**Pro tip:** The free Malwarebytes Browser Guard extension would have stopped this attack as well:\\n\\n![Malwarebytes Browser Guard blocks the subdomain of mdbgo\\\\[.\\\\]io](https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/11\/mdbgoioblock.png)\\n\\n \\n\\n\\n## Indicators of Compromise (IOCs)\\n\\n * several subdomains of mdbgo[.]io\\n * xxx-three-theta.vercel[.]app\\n * client1.inftrimool[.]xyz\\n * psee[.]io\\n * veluntra-technology-productivity-boost-cold-pine-8f29.ellenplum9.workers[.]dev\\n * lotusbridge.ru[.]com\\n * shain-log4rtf.surge[.]sh\\n\\n\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2025-11-12T16:02:39″,”modified”:”2025-11-12T16:02:39″,”type”:”malwarebytes”,”title”:”Phishing emails disguised as spam filter alerts are stealing logins”,”source”:””,”references”:””,”id”:”MALWAREBYTES:C5B4F66D3B1DB5A6AF585C06798F0C86″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/11\/phishing-emails-disguised-as-spam-filter-alerts-are-stealing-logins”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-12T16:05:10″,”description”:”Cybercriminals are spoofing \\”email delivery\\” notifications to look like they came from spam filters inside your own organization. The goal is to lure you to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-25953","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n