A sophisticated phishing operation dubbed Morphing Meerkat has been exploiting DNS mail exchange (MX) records to launch large-scale credential theft campaigns that spoof more than 100 well-known brands, according to cybersecurity firm Infoblox.
The threat actor behind this campaign is believed to operate a phishing-as-a-service (PhaaS) platform, offering a toolkit that enables attackers to create fake login pages and distribute phishing emails en masse. The service includes tools for bypassing email security filters, hiding malicious links, and automating credential theft operations.
Since early 2020, Morphing Meerkat has evolved into a global threat, targeting victims across industries—especially professionals in finance and enterprise software firms. Their phishing kits are now capable of impersonating 114 different email and service provider brands, including Gmail, Yahoo, Outlook, AOL, and Office 365.
What makes this phishing infrastructure particularly dangerous is its use of DNS MX records to dynamically load fake login pages that match the victim’s email provider. This technique delivers highly tailored attacks that appear legitimate and are hard to detect.
How Morphing Meerkat’s Phishing-as-a-Service Platform Works
Infoblox’s analysis reveals that Morphing Meerkat leverages compromised WordPress websites and open redirect vulnerabilities within adtech ecosystems to trick users into opening malicious links. The phishing pages themselves are dynamically translated using JavaScript, adapting the content to match the victim’s browser language, further boosting the scam’s credibility.
The infrastructure appears to be centrally managed, with most traffic routed through just two internet service providers—iomart in the UK and HostPapa in the US. This centralized behavior, along with consistent phishing kit patterns seen over five years, points to a single operator behind the PhaaS service.
To lure victims, attackers often impersonate trusted brands and services, including shipping companies and financial institutions. The phishing emails typically feature generic logos of email providers, paired with scare tactics like account suspension warnings or urgent delivery updates, compelling users to click on malicious links.
Advanced Evasion and Delivery Techniques
Morphing Meerkat’s phishing platform makes it tough for security tools to detect and block its campaigns. Instead of directly linking to phishing sites, attackers embed URLs to compromised domains, use popular link shorteners, or rely on free hosting platforms. They also abuse redirection mechanisms found in Google’s DoubleClick ad network, taking advantage of open redirect flaws to conceal the true destination.
The kit automatically detects a target’s email provider using DNS MX record lookups and then loads customized phishing pages accordingly. DNS-over-HTTPS (DoH) services from Cloudflare and Google are used to perform these lookups discreetly, avoiding detection by traditional network monitoring tools.
Credential Theft and Data Exfiltration
Once a victim submits their login details, the stolen credentials are transmitted back to the attackers through multiple channels. These include email dropboxes, PHP scripts on the phishing sites, AJAX-based remote transfer tools, and real-time communication through webhooks and chat platforms.
This multi-channel exfiltration method ensures the stolen data reaches the threat actor even if one channel is blocked or disrupted. Given the scope and technical depth of this campaign, Morphing Meerkat’s platform represents one of the most advanced phishing services currently in circulation.
