Ddos 
Screenshot of the first phishing URL redirection | Image: Trustwave SpiderLabs
Researchers at Trustwave SpiderLabs have published an analysis showing a significant uptick in phishing campaigns that rely on URL redirectors, compromised domains, and abused cloud services to evade detection. The report highlights how attackers are blending old techniques with new evasion tactics to bypass defenses and lure victims into credential theft schemes.
One of the most striking findings was the abuse of legitimate email marketing platforms to disguise malicious links. According to the report, “One such abused email marketing domain is ‘klclick3.com’, which is associated with Klaviyo, an email marketing and SMS automation platform. It is primarily used as a click-tracking domain to monitor user interactions with links in marketing and transactional emails.”
In one phishing campaign, emails with the subject line “New Voicemail” contained links redirecting to fake login pages. The final phishing page used the Chameleon phishing technique, which dynamically fetched the victim’s company logo to appear authentic. The report noted, “We found it uses the Chameleon phishing technique, wherein it fetches the domain of the email address and captures company information including the logo of the company to make it more convincing.”
Another case involved the domain dripemail2.com, linked to the Drip Global marketing platform. The lure impersonated DocuSign, eventually redirecting to a fake Microsoft login portal. Researchers observed that “the source code contained a suspicious Base64-encoded hash that, when decoded, reveals a redirect to another phishing site.”
Attackers also abused cloud infrastructure, particularly Amazon Web Services (AWS) and Cloudflare, to host phishing pages. In one example, a “Payment” or “Account Payable” themed email carried a link to an AWS S3 bucket. “The phishing email contains a malicious URL link… that redirects to a phishing page that mimics a Roundcube Webmail log-in page.”
The source code of this page used Cloudflare Turnstile for human verification and relied on AJAX for credential submission, making it harder for automated systems to flag as malicious. As Trustwave explains, “This kind of HTML content structure is now mostly seen on phishing pages where they abuse Cloudflare services to avoid immediate detection.”
Phishing actors are also compromising legitimate business websites to add credibility. One case involved airswift.ae, a freight services provider. The report details: “Threat actors tend to compromise legitimate domains to avoid being easily detected and to deceive victims into thinking that the login page is related to the domain or company.”
These attacks also leveraged CAPTCHA challenges and heavily obfuscated JavaScript to bypass detection. Victims were ultimately funneled to fake Microsoft login pages designed to harvest enterprise credentials.
To counter these threats, Trustwave relies on its PageML system, described as “a hybrid system with machine learning and deep learning components supplemented by a URL intelligence and rules framework. It looks at URL structure and web page content in real-time and makes a prediction as to whether a web page is phishing/malicious or benign.”
Despite this, researchers warned that many phishing URLs analyzed were detected only by Trustwave in VirusTotal, underscoring how stealthy these campaigns can be.
Organizations are advised to strengthen phishing awareness training, deploy layered email and web filtering, and monitor traffic for anomalies linked to cloud-hosted resources.
Related Posts:
- Facebook Launches Data Abuse Bounty Program
- New Phishing Campaign Targets AWS Accounts: Security Experts Warn
- Secure Email Gateways Fail to Stop Advanced Phishing Campaign Targeting Multiple Industries
- Beyond HTML: The Hidden Danger of Phishing in HTTP Response Headers
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
