By rssfeeds-admin 
The goal is to steal email credentials by convincing recipients that some of their legitimate messages have been delayed following a security system upgrade.
Victims receive a professional-looking email claiming specific “pending messages” have not been delivered to their inbox and must be manually moved there.
The email body lists generic subject lines and timestamps to make the content appear authentic, followed by a large “Move to Inbox” button that seems to perform a harmless administrative function.
Clicking that button, however, triggers a redirect chain that abuses the legitimate cbssports[.]com domain before reaching a phishing site hosted on mdbgo[.]io.
The criminals rely on trusted brand domains to evade security filters and lower suspicion among recipients accustomed to seeing familiar URLs in corporate emails. Malwarebytes researchers have since blocked these domains and confirmed their involvement in multiple phishing attempts.
Unit42, Palo Alto Networks’ threat intelligence team, first reported the campaign in early November 2025, but newer variants display signs of rapid evolution.
Updated samples feature code obfuscation mechanisms, meaning the scripts are intentionally scrambled to make analysis by researchers far more difficult.
Custom Phishing Portals with Real-Time Credential Theft
The phishing site itself is striking in its realism. When a potential victim lands on the page, they see a personalized login form already prefilled with their email domain.
This customization is achieved through a base64-encoded parameter embedded in the phishing link, which allows the website to display company-specific branding that makes the portal appear legitimate.
The form then requests the user’s email and password, pretending to authenticate them before supposedly delivering their “delayed” messages.
Unlike traditional phishing setups that use simple HTTP POST requests to capture credentials and store them on a remote server, this campaign leverages a WebSocket connection for real-time data theft.
A WebSocket functions like a continuous, open connection between the user’s browser and the attacker’s server, allowing instant, two-way communication without reloading the page.
This capability enables threat actors to receive typed credentials immediately and even prompt victims for additional information, such as two-factor authentication codes, in real time.
Because WebSockets operate over ongoing encrypted sessions, they also make detection and interception by conventional network monitoring tools more difficult.
Further analysis revealed that the phishing page heavily obfuscates JavaScript and dynamically loads code from remote servers to avoid static detection.
The campaign relies on multiple supporting domains to distribute or relay data, including subdomains of mdbgo[.]io, psee[.]io, and client1.inftrimool[.]xyz, among others.
Heightened Vigilance Remains the Best Defense
Researchers emphasize that this attack succeeds by exploiting human trust and familiarity with corporate communication formats. Security awareness remains the most vigorous defense.
Employees should treat any unexpected “delivery report” or “pending message” alert with skepticism and independently verify its authenticity by logging directly into their webmail platform rather than clicking embedded links.
Checking the sender’s domain name, hovering over hyperlinks before clicking, and using multi-factor authentication for all accounts can prevent credential compromise even if passwords are exposed. Password managers also help by refusing to autofill credentials on spoofed pages.
Modern security tools with built-in web protection, such as Malwarebytes Browser Guard, can block harmful redirects and prevent phishing pages from loading entirely. The growing complexity of these campaigns indicates that phishing operations are increasingly automated, data-driven, and adaptive.
As attackers move toward real-time credential theft using persistent communication channels, users and organizations must adopt a zero-trust approach to email interaction.
This latest campaign demonstrates a clear shift from crude imitation toward highly personalized deception, highlighting that even familiar-looking messages can conceal one of the most immediate and effective threats in modern email security.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Phishing Emails Disguised as Spam Alerts Can Steal Your Email Logins Instantly appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.