Threat Overview

In today’s digital landscape, cyber threats are becoming increasingly sophisticated. One such alarming trend is the creative use of Domain Name System (DNS) mechanisms by threat actors for malicious activities. A recent threat report published by AlienVault on March 31, 2025, highlights a significant development in this arena. The report, titled ‘PhaaS actor uses DoH and DNS MX to dynamically distribute phishing,’ details how Infoblox discovered a phishing kit that leverages DNS mail exchange (MX) records to dynamically serve fake login pages.

This phishing kit has been observed spoofing over 100 brands, making it a formidable threat to both individuals and organizations. The use of DNS mail exchange (MX) records in this manner is particularly concerning because it allows attackers to bypass traditional security measures and deliver highly targeted phishing attacks. By exploiting the trust associated with legitimate domains, these fake login pages can deceive even the most vigilant users.

The report provides a comprehensive analysis of the tactics, techniques, and procedures (TTPs) employed by this threat actor group. The confidence level in the reliability of this report is 100%, indicating that the information presented is highly credible. With a reliability rating of A – Completely reliable, security professionals can trust the findings and take appropriate actions to mitigate the risks.

The phishing kit operates by using DNS over HTTPS (DoH) to obscure its activities from conventional monitoring tools. DoH encrypts DNS queries, making it difficult for security solutions to detect and block malicious traffic. This technique enhances the stealthiness of the phishing campaign, allowing attackers to evade detection for extended periods.

The dynamic nature of the phishing kit is another critical aspect highlighted in the report. By utilizing DNS MX records, the threat actors can rapidly change the content served on the fake login pages. This adaptability enables them to tailor their attacks to specific targets or respond quickly to changes in security defenses. The ability to dynamically distribute phishing pages makes this threat particularly challenging to counter.

Infoblox’s discovery of this sophisticated phishing kit underscores the need for advanced security measures. Organizations must adopt a multi-layered approach to cybersecurity, incorporating both technical controls and user awareness training. By understanding the TTPs employed by these threat actors, security teams can better prepare their defenses and respond more effectively to potential attacks.

Recommendations for Mitigation

1. Implement Advanced Threat Detection: Utilize advanced threat detection tools that can identify anomalous DNS activity. These tools should be capable of detecting and blocking DoH traffic associated with known phishing campaigns.
2. Enhance User Awareness Training: Educate employees about the risks of phishing attacks and how to recognize suspicious emails or login pages. Regular training sessions can significantly reduce the likelihood of successful phishing attempts.
3. Deploy DNS Security Solutions: Invest in DNS security solutions that provide real-time monitoring and analysis of DNS traffic. These solutions can help detect and mitigate threats before they impact the organization.
4. Regularly Update Security Policies: Ensure that security policies are up-to-date and align with the latest threat intelligence. This includes configuring firewalls, intrusion detection systems (IDS), and other security controls to block known malicious domains.
5. Conduct Regular Security Audits: Perform regular security audits to identify vulnerabilities in the organization’s DNS infrastructure. Addressing these vulnerabilities can help prevent attackers from exploiting them for phishing campaigns.

Conclusion

The discovery of this sophisticated phishing kit highlights the evolving nature of cyber threats. As threat actors continue to innovate and adapt their tactics, organizations must remain vigilant and proactive in their security measures. By understanding the TTPs employed by these actors and implementing robust security controls, organizations can better protect themselves against dynamic phishing attacks.

For more detailed information on this threat report, please refer to the following external references:

• Infoblox Threat Intelligence Blog: https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/
• AlienVault OTX Pulse: https://otx.alienvault.com/pulse/67eaf35a20355ae846b8269d

By staying informed and taking proactive measures, organizations can significantly reduce their risk of falling victim to these advanced phishing attacks.