Red Bull-Themed Phishing Attacks Target Job Seekers’ Credentials

A few significant investments in email filtering, authentication procedures, and endpoint protection, attackers are constantly improving their techniques to circumvent automated security measures in a time when phishing is still a major cyberthreat.

A recent campaign identified by Evalian’s Security Operations Center (SOC) exemplifies this evolution, employing sophisticated deception to target job seekers with spoofed Red Bull recruitment emails.

These attacks leverage legitimate email services, transient VPS infrastructure, and brand impersonation to deliver malicious payloads that slip past SPF, DKIM, and DMARC checks, ultimately funneling victims to credential-harvesting sites mimicking Facebook logins.

Evolving Tactics Bypass Enterprise Defenses

By dissecting the attack’s anatomy from email headers to TLS fingerprints analysts uncovered a broader network of interconnected domains and IPs, enabling proactive detection rollouts across managed SOC clients.

This human-led threat hunting, augmented by OSINT, transforms isolated incidents into scalable defenses, highlighting the limitations of purely automated tools in countering adaptive adversaries.

The phishing emails, masquerading as Red Bull job opportunities, originate from seemingly legitimate domains like [email protected], authenticated via Mailgun’s high-reputation IP pools.

Headers reveal sender IPs such as 198.244.57.62, with low Spam Confidence Levels (SCL=1) from Microsoft filters, allowing clean inbox delivery.

However, anomalies like the Reply-To address [email protected] expose the ruse, pointing to obfuscated infrastructure hosted on abuse-prone providers.

Embedded links direct users to domains like redbull-social-media-manager.apply-to-get-hired.com, which present a multi-stage lure: a reCAPTCHA challenge to deter scanners, a Glassdoor-esque job posting, and a fraudulent Facebook login page.

Network analysis via browser DevTools shows POST requests to /login_job endpoints resolving to IPs like 38.114.120.167, served by nginx/1.24.0 on Ubuntu, often resulting in 504 Gateway Timeouts potentially intentional stalling tactics or signs of overburdened backends in disposable phishing kits.

Infrastructure Analysis Reveals Campaign Scale

Pivoting from the phishing domain’s TLS certificate (CN=bot2shimeta.charliechaplin7eont.space, issued by Let’s Encrypt) yields critical insights through JARM fingerprinting (27d40d40d00040d00042d43d000000d2e61cae37a985f75ecafb81b33ca523).

Shodan queries combining this fingerprint with issuer details and ASN 63023 (AS-GLOBALTELEHOST) narrow down to clusters of suspicious hosts, including subdomains like mrbeastmeta.charliechaplin7eont.space and samkymeta.charliechaplin7eont.space, all resolving to the same IP and spoofing brands like MrBeast and Meta.

Passive DNS reconnaissance via VirusTotal graphs related domains such as redbull-jobs.jobapply-careers.com, indicating a templated phishing operation deployed rapidly post-domain registration (e.g., charliechaplin7eont.space created May 30, 2025, via Porkbun registrar).

The Reply-To domain user0212-stripe.com, hosted on 172.81.134.78 under DataWagon LLC, features static HTML fronts mimicking benign tech sites, but shares fingerprints with other low-detection subdomains, suggesting automated kit rentals for scalable attacks.

This campaign abuses trusted services like Mailgun and Let’s Encrypt to piggyback on reputable authentication, bypassing filters while exploiting user trust in branded lures.

According to the Report, Evalian’s SOC engineered detections mapping MITRE ATT&CK techniques like T1566.002 (Spearphishing Link) and T1071.001 (Web Protocols), correlating email IOCs with endpoint and network logs to hunt user interactions.

Queries target suspicious sender patterns, malicious URLs, and infrastructure traits, deployed fleet-wide to preempt variants.

Such operations underscore phishing’s shift toward infrastructure-as-a-service models, where attackers churn domains, leverage influencer impersonation, and introduce latencies to evade sandboxes.

For defenders, this demands layered hunting monitoring cloud mailers, TLS artifacts, and OSINT pivots beyond basic blocks, as authentication alone proves insufficient against weaponized trust.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.