Hackers Exploit DNS MX Records to Create Fake Logins Imitating 100+ Brands

Cybersecurity researchers have discovered a sophisticated phishing-as-a-service (PhaaS) platform, dubbed “Morphing Meerkat,” that leverages DNS mail exchange (MX) records to dynamically serve tailored phishing pages mimicking over 100 brands.

The platform, which has been operational since at least January 2020, employs a range of advanced techniques to evade detection and maximize the effectiveness of its phishing campaigns.

DNS Abuse and Dynamic Content Delivery

At the core of Morphing Meerkat’s operation is its innovative use of DNS MX records.

The platform queries the MX record of a victim’s email domain using DNS over HTTPS (DoH) services from providers like Cloudflare and Google.

It then uses this information to dynamically load a phishing template that closely matches the victim’s email service provider, creating a more convincing and personalized phishing experience.

The PhaaS platform maintains a library of at least 114 unique email brand and ...